zfs administration guide - illumos.org · zfs administration guide. ... zfs delegated...

The illumos

ZFS Administration Guide

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that isdescribed in this document. In particular, and without limitation, these intellectual property rights may include oneor more U.S. patents or pending patent applications in the U.S. and in other countries.

U.S. Government Rights – Commercial software. Government users are subject to the Sun Microsystems, Inc.standard license agreement and applicable provisions of the FAR and its supplements.

This distribution may include materials developed by third parties.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIXis a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, the Solaris logo, the Java Coffee Cup logo, docs.sun.com, Java, and Solarisare trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARCtrademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in theU.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by SunMicrosystems, Inc. Legato NetWorker is a trademark or registered trademark of Legato Systems, Inc.

The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its usersand licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept ofvisual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to theXerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs andotherwise comply with Sun’s written license agreements.

Products covered by and information contained in this publication are controlled by U.S. Export Control laws andmay be subject to the export or import laws in other countries. Nuclear, missile, chemical or biological weaponsor nuclear maritime end uses or end users, whether direct or indirect, are strictly prohibited. Export or reexport tocountries subject to U.S. embargo or to entities identified on U.S. export exclusion lists, including, but not limited to,the denied persons and specially designated nationals lists is strictly prohibited.

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTA-TIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENTTHAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright © 2008 Sun Microsystems, Inc.

Contents

Contents i

List of Tables vi

1 ZFS File System (Introduction) 11.1 What’s New in ZFS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Using Cache Devices in Your ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . 3Enhancements to the zfs send Command . . . . . . . . . . . . . . . . . . . . . . . . . . 3ZFS Quotas and Reservations for File System Data Only . . . . . . . . . . . . . . . . . 4ZFS File System Properties for the Solaris CIFS Service . . . . . . . . . . . . . . . . . 4ZFS Storage Pool Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5ZFS and File System Mirror Mounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6ZFS Command History Enhancements (zpool history) . . . . . . . . . . . . . . . . . . 6Upgrading ZFS File Systems (zfs upgrade) . . . . . . . . . . . . . . . . . . . . . . . . 7ZFS Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Setting Up Separate ZFS Logging Devices . . . . . . . . . . . . . . . . . . . . . . . . . 8Creating Intermediate ZFS Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9ZFS Hotplugging Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Recursively Renaming ZFS Snapshots (zfs rename -r) . . . . . . . . . . . . . . . . . . 10GZIP Compression is Available for ZFS . . . . . . . . . . . . . . . . . . . . . . . . . . 11Storing Multiple Copies of ZFS User Data . . . . . . . . . . . . . . . . . . . . . . . . . 11Improved zpool status Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12ZFS and Solaris iSCSI Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Sharing ZFS File System Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . 12ZFS Command History (zpool history) . . . . . . . . . . . . . . . . . . . . . . . . . . 13ZFS Property Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

ZFS xattr Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14ZFS canmount Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14ZFS User Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Setting Properties When Creating ZFS File Systems . . . . . . . . . . . . . . . 14

Displaying All ZFS File System Information . . . . . . . . . . . . . . . . . . . . . . . . 15New zfs receive -F Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Recursive ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Double Parity RAID-Z (raidz2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Hot Spares for ZFS Storage Pool Devices . . . . . . . . . . . . . . . . . . . . . . . . . 15Replacing a ZFS File System With a ZFS Clone (zfs promote) . . . . . . . . . . . . . . 16Upgrading ZFS Storage Pools (zpool upgrade) . . . . . . . . . . . . . . . . . . . . . . 16Using ZFS to Clone Non-Global Zones and Other Enhancements . . . . . . . . . . . . . 16

i

CONTENTS

ZFS Backup and Restore Commands are Renamed . . . . . . . . . . . . . . . . . . . . 17Recovering Destroyed Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17ZFS is Integrated With Fault Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 17New zpool clear Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Compact NFSv4 ACL Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17File System Monitoring Tool (fsstat) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18ZFS Web-Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.2 What Is ZFS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19ZFS Pooled Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Transactional Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Checksums and Self-Healing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Unparalleled Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Simplified Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.3 ZFS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211.4 ZFS Component Naming Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2 Getting Started With ZFS 232.1 ZFS Hardware and Software Requirements and Recommendations . . . . . . . . . . . . 232.2 Creating a Basic ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.3 Creating a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.4 Creating a ZFS File System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3 ZFS and Traditional File System Differences 293.1 ZFS File System Granularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.2 ZFS Space Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Out of Space Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.3 Mounting ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.4 Traditional Volume Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.5 The NFSv4 ACL Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Managing ZFS Storage Pools 334.1 Components of a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Using Disks in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Using Files in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Identifying Virtual Devices in a Storage Pool . . . . . . . . . . . . . . . . . . . . . . . 35

4.2 Replication Features of a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . 35Mirrored Storage Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36RAID-Z Storage Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Self-Healing Data in a Redundant Configuration . . . . . . . . . . . . . . . . . . . . . . 37Dynamic Striping in a Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.3 Creating and Destroying ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . 37Creating a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Creating a Basic Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Creating a Mirrored Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . 38Creating RAID-Z Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 38Creating a ZFS Storage Pool with Log Devices . . . . . . . . . . . . . . . . . . 39Creating a ZFS Storage Pool with Cache Devices . . . . . . . . . . . . . . . . . 40

Handling ZFS Storage Pool Creation Errors . . . . . . . . . . . . . . . . . . . . . . . . 41

ii

Contents

Detecting in Use Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Mismatched Replication Levels . . . . . . . . . . . . . . . . . . . . . . . . . . 42Doing a Dry Run of Storage Pool Creation . . . . . . . . . . . . . . . . . . . . 42Default Mount Point for Storage Pools . . . . . . . . . . . . . . . . . . . . . . . 43

Destroying ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Destroying a Pool With Faulted Devices . . . . . . . . . . . . . . . . . . . . . . 43

4.4 Managing Devices in ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 44Adding Devices to a Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Attaching and Detaching Devices in a Storage Pool . . . . . . . . . . . . . . . . . . . . 47Onlining and Offlining Devices in a Storage Pool . . . . . . . . . . . . . . . . . . . . . 48

Taking a Device Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Bringing a Device Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Clearing Storage Pool Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Replacing Devices in a Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Designating Hot Spares in Your Storage Pool . . . . . . . . . . . . . . . . . . . . . . . 51

Activating and Deactivating Hot Spares in Your Storage Pool . . . . . . . . . . . 524.5 Managing ZFS Storage Pool Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 544.6 Querying ZFS Storage Pool Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Displaying Basic ZFS Storage Pool Information . . . . . . . . . . . . . . . . . . . . . . 56Listing Information About All Storage Pools . . . . . . . . . . . . . . . . . . . 56Listing Specific Storage Pool Statistics . . . . . . . . . . . . . . . . . . . . . . 57Scripting ZFS Storage Pool Output . . . . . . . . . . . . . . . . . . . . . . . . 58

Viewing ZFS Storage Pool I/O Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 58Listing Pool-Wide Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Listing Virtual Device Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Determining the Health Status of ZFS Storage Pools . . . . . . . . . . . . . . . . . . . 60Basic Storage Pool Health Status . . . . . . . . . . . . . . . . . . . . . . . . . . 60Detailed Health Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.7 Migrating ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Preparing for ZFS Storage Pool Migration . . . . . . . . . . . . . . . . . . . . . . . . . 62Exporting a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Determining Available Storage Pools to Import . . . . . . . . . . . . . . . . . . . . . . 63Finding ZFS Storage Pools From Alternate Directories . . . . . . . . . . . . . . . . . . 65Importing ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Recovering Destroyed ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . 66Upgrading ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

5 Managing ZFS File Systems 715.1 Creating and Destroying ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . 72

Creating a ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Destroying a ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Renaming a ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5.2 Introducing ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74ZFS Read-Only Native Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

The used Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Settable ZFS Native Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

The canmount Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83The casesensitivity Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84The recordsize Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

iii

CONTENTS

The sharesmb Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84The volsize Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

ZFS User Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855.3 Querying ZFS File System Information . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Listing Basic ZFS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Creating Complex ZFS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.4 Managing ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Setting ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Inheriting ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Querying ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Querying ZFS Properties for Scripting . . . . . . . . . . . . . . . . . . . . . . . 915.5 Mounting and Sharing ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Managing ZFS Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Automatic Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Legacy Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Mounting ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Using Temporary Mount Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Unmounting ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Sharing and Unsharing ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . 96

Controlling Share Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Unsharing ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Sharing ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Legacy Share Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Sharing ZFS Files in a Solaris CIFS Environment . . . . . . . . . . . . . . . . . . . . . 975.6 ZFS Quotas and Reservations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Setting Quotas on ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Setting Reservations on ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . 101

6 Working With ZFS Snapshots and Clones 1036.1 Overview of ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Creating and Destroying ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . 104Renaming ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Displaying and Accessing ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . 105Snapshot Space Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Rolling Back to a ZFS Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066.2 Overview of ZFS Clones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Creating a ZFS Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Destroying a ZFS Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Replacing a ZFS File System With a ZFS Clone . . . . . . . . . . . . . . . . . . . . . . 108

6.3 Saving and Restoring ZFS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Saving ZFS Data With Other Backup Products . . . . . . . . . . . . . . . . . . . . . . . 110Saving a ZFS Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Restoring a ZFS Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Sending and Receiving Complex ZFS Snapshot Streams . . . . . . . . . . . . . . . . . 111

Remote Replication of ZFS Data . . . . . . . . . . . . . . . . . . . . . . . . . . 114

7 Using ACLs to Protect ZFS Files 1157.1 The NFSv4 ACL Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Syntax Descriptions for Setting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

iv

Contents

ACL Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119ACL Property Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.2 Setting ACLs on ZFS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207.3 Setting and Displaying ACLs on ZFS Files in Verbose Format . . . . . . . . . . . . . . 123

Setting ACL Inheritance on ZFS Files in Verbose Format . . . . . . . . . . . . . . . . . 1277.4 Setting and Displaying ACLs on ZFS Files in Compact Format . . . . . . . . . . . . . . 133

8 ZFS Delegated Administration 1378.1 Overview of ZFS Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . 137

Disabling ZFS Delegated Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388.2 Delegating ZFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Syntax Descriptions for Delegating Permissions . . . . . . . . . . . . . . . . . . . . . . 140Removing ZFS Delegated Permissions (zfs unallow) . . . . . . . . . . . . . . . . . . . 141

8.3 Using ZFS Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Displaying ZFS Delegated Permissions (Examples) . . . . . . . . . . . . . . . . . . . . 141Delegating ZFS Permissions (Examples) . . . . . . . . . . . . . . . . . . . . . . . . . . 143Removing ZFS Permission (Examples) . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9 ZFS Advanced Topics 1499.1 ZFS Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Using a ZFS Volume as a Swap or Dump Device . . . . . . . . . . . . . . . . . . . . . 150Using a ZFS Volume as a Solaris iSCSI Target . . . . . . . . . . . . . . . . . . . . . . . 150

9.2 Using ZFS With Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Adding ZFS File Systems to a Non-Global Zone . . . . . . . . . . . . . . . . . . . . . . 152Delegating Datasets to a Non-Global Zone . . . . . . . . . . . . . . . . . . . . . . . . . 152Adding ZFS Volumes to a Non-Global Zone . . . . . . . . . . . . . . . . . . . . . . . . 153Using ZFS Storage Pools Within a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . 153Managing ZFS Properties Within a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . 153Understanding the zoned Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

9.3 Using ZFS Alternate Root Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Creating ZFS Alternate Root Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Importing Alternate Root Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

9.4 ZFS Rights Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

10 ZFS Troubleshooting and Data Recovery 15710.1 ZFS Failure Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Missing Devices in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . 158Damaged Devices in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . 158Corrupted ZFS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

10.2 Checking ZFS Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Data Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Data Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Controlling ZFS Data Scrubbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Explicit ZFS Data Scrubbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159ZFS Data Scrubbing and Resilvering . . . . . . . . . . . . . . . . . . . . . . . 160

10.3 Identifying Problems in ZFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Determining if Problems Exist in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . 161Reviewing zpool status Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Overall Pool Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . 162

v

Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Scrubbing Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Data Corruption Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

System Reporting of ZFS Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . 16410.4 Repairing a Damaged ZFS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 16510.5 Repairing a Missing Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Physically Reattaching the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Notifying ZFS of Device Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

10.6 Repairing a Damaged Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Determining the Type of Device Failure . . . . . . . . . . . . . . . . . . . . . . . . . . 166Clearing Transient Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Replacing a Device in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . 168

Determining if a Device Can Be Replaced . . . . . . . . . . . . . . . . . . . . . 168Devices That Cannot be Replaced . . . . . . . . . . . . . . . . . . . . . . . . . 169Replacing a Device in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . 169Viewing Resilvering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

10.7 Repairing Damaged Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Identifying the Type of Data Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . 171Repairing a Corrupted File or Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 172Repairing ZFS Storage Pool-Wide Damage . . . . . . . . . . . . . . . . . . . . . . . . 174

10.8 Repairing an Unbootable System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

List of Tables

1 Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix2 Shell Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

4.1 ZFS Pool Property Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5.1 ZFS Native Property Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755.2 Types of ZFS Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875.3 Possible SOURCE Values (zfs get) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

7.1 ACL Entry Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187.2 ACL Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187.3 ACL Inheritance Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

vi

Preface

The ZFS Administration Guide provides information about setting up and managing ZFS file systems.

This guide contains information for both SPARC® based and x86 based systems.

NoteThis illumos release supports systems that use the SPARC and x86 families of processor architectures:UltraSPARC®, SPARC64, AMD64, Pentium, and Xeon EM64T. The supported systems appear in theillumos Hardware Compatibility List. This document cites any implementation differences between theplatform types.In this document these x86 terms mean the following:

• “x86” refers to the larger family of 64-bit and 32-bit x86 compatible products.

• “x64” points out specific 64-bit information about AMD64 or EM64T systems.

• “32-bit x86” points out specific 32-bit information about x86 based systems.

For supported systems, see the illumos Hardware Compatibility List.

Who Should Use This Book

This guide is intended for anyone who is interested in setting up and managing ZFS file systems. Experienceusing illumos or another UNIX® operating system is recommended.

How This Book Is Organized

The following table describes the chapters in this book.

Chapter Description

Chapter 1Provides an overview of ZFS and its features and benefits. It alsocovers some basic concepts and terminology.

Chapter 2

Provides step-by-step instructions on setting up simple ZFSconfigurations with simple pools and file systems. This chapter alsoprovides the hardware and software required to create ZFS filesystems.

vii

PREFACE

Chapter Description

Chapter 3

Identifies important features that make ZFS significantly differentfrom traditional file systems. Understanding these key differenceswill help reduce confusion when using traditional tools to interactwith ZFS.

Chapter 4Provides a detailed description of how to create and administerstorage pools.

Chapter 5

Provides detailed information about managing ZFS file systems.Included are such concepts as hierarchical file system layout,property inheritance, and automatic mount point management andshare interactions.

Chapter 6 Describes how to create and administer ZFS snapshots and clones.

Chapter 7Describes how to use access control lists (ACLs) to protect yourZFS files by providing more granular permissions then the standardUNIX permissions.

Chapter 9Provides information on using ZFS volumes, using ZFS with zones,and alternate root pools.

Chapter 10Describes how to identify ZFS failure modes and how to recoverfrom them. Steps for preventing failures are covered as well.

Related Books

Related information about general Solaris system administration topics can be found in the followingbooks:

• Solaris System Administration: Basic Administration

• Solaris System Administration: Advanced Administration

• Solaris System Administration: Devices and File Systems

• Solaris System Administration: Security Services

• Solaris Volume Manager Administration Guide

Documentation, Support, and Training

The Sun web site provides information about the following additional resources:

• Documentation

• Support

• Training

Typographic Conventions

The following table describes the typographic conventions that are used in this book.

viii

Shell Prompts in Command Examples

Table 1: Typographic Conventions

Typeface Meaning Example

AaBbCc123The names of commands, files, anddirectories, and onscreen computer output

Edit your .login file.Use ls-a to list all files.machine_name% youhave mail.

AaBbCc123What you type, contrasted with onscreencomputer output

machine_name% suPassword:

aabbcc123Placeholder: replace with a real name orvalue

The command to remove a file isrm filename.

AaBbCc123Book titles, new terms, and terms to beemphasized

Read Chapter 6 in the User’sGuide.A cache is a copy that is storedlocally.Do not save the file.Note: Some emphasized itemsappear bold online.

Shell Prompts in Command Examples

The following table shows the default UNIX system prompt and superuser prompt for the C shell, Bourneshell, and Korn shell.

Table 2: Shell Prompts

Shell PromptC shell machine_name%C shell for superuser machine_name#Bourne shell and Korn shell $Bourne shell and Korn shell for superuser #

ix

Chapter 1

ZFS File System (Introduction)

This chapter provides an overview of the ZFS file system and its features and benefits. This chapter alsocovers some basic terminology used throughout the rest of this book.

The following sections are provided in this chapter:

• Section 1.1

• Section 1.2

• Section 1.3

• Section 1.4

1.1 What’s New in ZFS?

This section summarizes new features in the ZFS file system.

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

1

1. ZFS FILE SYSTEM (INTRODUCTION)

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

• Section 1.1

2

1.1. What’s New in ZFS?

Using Cache Devices in Your ZFS Storage Pool

Solaris Express Developer Edition 1/08: In this Solaris release, you can create pool and specify cachedevices, which are used to cache storage pool data.

Cache devices provide an additional layer of caching between main memory and disk. Using cache devicesprovide the greatest performance improvement for random read-workloads of mostly static content.

One or more cache devices can specified when the pool is created. For example:

# zpool create pool mirror c0t2d0 c0t4d0 cache c0t0d0# zpool status poolpool: pool

state: ONLINEscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMpool ONLINE 0 0 0mirror ONLINE 0 0 0c0t2d0 ONLINE 0 0 0c0t4d0 ONLINE 0 0 0

cachec0t0d0 ONLINE 0 0 0

errors: No known data errors

After cache devices are added, they gradually fill with content from main memory. Depending on the sizeof your cache device, it could take over an hour for them to fill. Capacity and reads can be monitored byusing the zpool iostat command as follows:

# zpool iostat -v pool 5

Cache devices can be added or removed from the pool after the pool is created.

For more information, see Section 4.3 and Example 4.3.

Enhancements to the zfs send Command

Solaris Express Developer Edition 1/08: This release includes the following enhancements to the zfssend command.

• Send all incremental streams from one snapshot to a cumulative snapshot. For example:

# zfs listNAME USED AVAIL REFER MOUNTPOINTpool 428K 16.5G 20K /poolpool/fs 71K 16.5G 21K /pool/fspool/fs@snapA 16K - 18.5K -pool/fs@snapB 17K - 20K -pool/fs@snapC 17K - 20.5K -pool/fs@snapD 0 - 21K -# zfs send -I pool/fs@snapA pool/fs@snapD > /snaps/fs@combo

Send all incremental snapshots between fs@snapA to fs@snapD to fs@combo.

3


• Send an incremental stream from the origin snapshot to create a clone. The original snapshot mustalready exist on the receiving side to accept the incremental stream. For example:

# zfs send -I pool/fs@snap1 pool/clone@snapA > /snaps/fsclonesnap-I..# zfs receive -F pool/clone < /snaps/fsclonesnap-I

• Send a replication stream of all descendent file systems, up to the named snapshots. When received, allproperties, snapshots, descendent file systems, and clones are preserved. For example:

zfs send -R pool/fs@snap > snaps/fs-R

For an extended example, see Example 6.1.

• Send an incremental replication stream.

zfs send -R -[iI] @snapA pool/fs@snapD

For an extended example, see Example 6.1.

For more information, see Section 6.3.

ZFS Quotas and Reservations for File System Data Only

Solaris Express Developer Edition 1/08: In addition to the existing ZFS quota and reservation features,this release includes dataset quotas and reservations that do not include descendents, such as snapshotsand clones, in the space consumption accounting.

• The refquota property limits the amount of space a dataset can consume. This property enforces ahard limit on the amount of space that can be used. This hard limit does not include space used bydescendents, such as snapshots and clones.

• The refreservation property sets the minimum amount of space that is guaranteed to a dataset,not including its descendents.

For example, you can set a 10 Gbyte refquota for studentA that sets a 10-Gbyte hard limit of referencedspace. For additional flexibility, you can set a 20-Gbyte quota that allows you to manage studentA’ssnapshots.

# zfs set refquota=10g tank/studentA# zfs set quota=20g tank/studentA


ZFS File System Properties for the Solaris CIFS Service

Solaris Express Developer Edition 1/08: This release provides support for the Solaris Common InternetFile System (CIFS) service. This product provides the ability to share files between Solaris and Windowsor MacOS systems.

To facilitate sharing files between these systems by using the Solaris CIFS service, the following new ZFSproperties are provided:

4


• Case sensitivity support (casesensitivity)

• Non-blocking mandatory locks (nbmand)

• SMB share support (sharesmb)

• Unicode normalization support (normalization)

• UTF-8 character set support (utf8only)

Currently, the sharesmb property is available to share ZFS files in the Solaris CIFS environment. MoreZFS CIFS-related properties will be available in an upcoming release. For information about using thesharesmb property, see Section 5.5.

In addition to the ZFS properties added for supporting the Solaris CIFS software product, the vscanproperty is available for scanning ZFS files if you have a 3rd-party virus scanning engine.

ZFS Storage Pool Properties

Solaris Express Developer Edition 1/08: ZFS storage pool properties were introduced in an earlierrelease. This release provides for additional property information. For example:

# zpool get all usersNAME PROPERTY VALUE SOURCEusers size 16.8G -users used 217M -users available 16.5G -users capacity 1% -users altroot - defaultusers health ONLINE -users guid 11063207170669925585 -users version 8 defaultusers bootfs - defaultusers delegation on defaultusers autoreplace off defaultusers temporary on local

For a description of these properties, see Table 4.1.

• The cachefile property – Solaris Express Developer Edition 1/08: This release provides the cachefile property, which controls where pool configuration information is cached. All pools in the cacheare automatically imported when the system boots. However, installation and clustering environmentsmight need to cache this information in a different location so that pools are not automatically imported.

You can set this property to cache pool configuration in a different location that can be imported later byusing the zpool import c command. For most ZFS configurations, this property would not be used.

The cachefile property is not persistent and is not stored on disk. This property replaces thetemporary property that was used to indicate that pool information should not be cached in previousSolaris releases.

• The failmode property – Solaris Express Developer Edition 1/08: This release provides the failmode property for determining the behavior of a catastrophic pool failure due to a loss of deviceconnectivity or the failure of all devices in the pool. The failmode property can be set to these values:

5


wait, continue, or panic. The default value is wait, which means you must reconnect the deviceor replace a failed device and clear the error with the zpool clear command.

The failmode property is set like other settable ZFS properties, which can be set either before or afterthe pool is created. For example:

# zpool set failmode=continue tank# zpool get failmode tankNAME PROPERTY VALUE SOURCEtank failmode continue local

# zpool create -o failmode=continue

For a description of all ZFS pool properties, see Table 4.1.

ZFS and File System Mirror Mounts

Solaris Express Developer Edition 1/08: In this Solaris release, NFSv4 mount enhancements are pro-vided to make ZFS file systems more accessible to NFS clients.

When file systems are created on the NFS server, the NFS client can automatically discover these newlycreated file systems within their existing mount of a parent file system.

For example, if the server neo already shares the tank file system and client zee has it mounted,/tank/baz is automatically visible on the client after it is created on the server.

zee# mount neo:/tank /mntzee# ls /mntbaa bar

neo# zfs create tank/baz

zee% ls /mntbaa bar bazzee% ls /mnt/bazfile1 file2

ZFS Command History Enhancements (zpool history)

Solaris Express Developer Edition 9/07: The zpool history command has been enhanced to provide thefollowing new features:

• ZFS file system event information

• A -l option for displaying a long format that includes the user name, the hostname, and the zone inwhich the operation was performed

• A -i option for displaying internal event information that can be used for diagnostic purposes

For example, the zpool history command provides both zpool command events and zfs command events.

6


# zpool history usersHistory for ’users’:2007-04-26.12:44:02 zpool create users mirror c0t8d0 c0t9d0 c0t10d02007-04-26.12:44:38 zfs create users/markm2007-04-26.12:44:47 zfs create users/marks2007-04-26.12:44:57 zfs create users/neil2007-04-26.12:47:15 zfs snapshot -r users/[email protected]:54:50 zfs snapshot -r users/[email protected]:29:13 zfs create users/snapshots2007-04-26.13:30:00 zfs create -o compression=gzip users/snapshots2007-04-26.13:31:24 zfs create -o compression=gzip-9 users/oldfiles2007-04-26.13:31:47 zfs set copies=2 users/home2007-06-25.14:22:52 zpool offline users c0t10d02007-06-25.14:52:42 zpool online users c0t10d02007-06-25.14:53:06 zpool upgrade users

The zpool history -i option provides internal event information. For example:

# zpool history -i

.

.

.2007-08-08.15:10:02 [internal create txg:348657] dataset = 832007-08-08.15:10:03 zfs create tank/mark2007-08-08.15:27:41 [internal permission update txg:348869] ul$76928 create dataset = 52007-08-08.15:27:41 [internal permission update txg:348869] ul$76928 destroy dataset = 52007-08-08.15:27:41 [internal permission update txg:348869] ul$76928 mount dataset = 52007-08-08.15:27:41 [internal permission update txg:348869] ud$76928 create dataset = 52007-08-08.15:27:41 [internal permission update txg:348869] ud$76928 destroy dataset = 52007-08-08.15:27:41 [internal permission update txg:348869] ud$76928 mount dataset = 52007-08-08.15:27:41 zfs allow marks create,destroy,mount tank2007-08-08.15:27:59 [internal permission update txg:348873] ud$76928 snapshot dataset = 52007-08-08.15:27:59 zfs allow -d marks snapshot tank

The zpool history -l option provides a long format. For example:

# zpool history -l tankHistory for ’tank’:2007-07-19.10:55:13 zpool create tank mirror c0t1d0 c0t11d0 [user root on neo:global]2007-07-19.10:55:19 zfs create tank/cindys [user root on neo:global]2007-07-19.10:55:49 zfs allow cindys create,destroy,mount,snapshot tank/cindys [user root on neo:global]2007-07-19.10:56:24 zfs create tank/cindys/data [user cindys on neo:global]

For more information about using the zpool history command, see Section 10.3.

Upgrading ZFS File Systems (zfs upgrade)

Solaris Express Developer Edition 9/07: The zfs upgrade command is included in this release to providefuture ZFS file system enhancements to existing file systems. ZFS storage pools have a similar upgradefeature to provide pool enhancements to existing storage pools.

For example:

# zfs upgradeThis system is currently running ZFS filesystem version 2.

7


The following filesystems are out of date, and can be upgraded. After beingupgraded, these filesystems (and any ’zfs send’ streams generated fromsubsequent snapshots) will no longer be accessible by older software versions.

VER FILESYSTEM--- ------------1 datab1 datab/users1 datab/users/area51

NoteFile systems that are upgraded and any streams created from those upgraded file systems by the zfssend command are not accessible on systems that are running older software releases.

However, no new ZFS file system upgrade features are provided in this release.

ZFS Delegated Administration

Solaris Express Developer Edition 9/07: In this release, you can delegate fine-grained permissions toperform ZFS administration tasks to non-privileged users.

You can use the zfs allow and zfs unallow commands to grant and remove permissions.

You can modify the ability to use delegated administration with the pool’s delegation property. Forexample:

# zpool get delegation usersNAME PROPERTY VALUE SOURCEusers delegation on default# zpool set delegation=off users# zpool get delegation usersNAME PROPERTY VALUE SOURCEusers delegation off local

By default, the delegation property is enabled.

For more information, see Chapter 8 and zfs(1M).

Setting Up Separate ZFS Logging Devices

Solaris Express Developer Edition 9/07: The ZFS intent log (ZIL) is provided to satisfy POSIX require-ments for synchronous transactions. For example, databases often require their transactions to be on stablestorage devices when returning from a system call. NFS and other applications can also use fsync() toensure data stability. By default, the ZIL is allocated from blocks within the main storage pool. However,better performance might be possible by using separate intent log devices in your ZFS storage pool, suchas with NVRAM or a dedicated disk.

Log devices for the ZFS intent log are not related to database log files.

You can set up a ZFS logging device when the storage pool is created or after the pool is created. Forexamples of setting up log devices, see Section 4.3 and Section 4.4.

8


You can attach a log device to an existing log device to create a mirrored log device. This operation isidentical to attaching a device in a unmirrored storage pool.

Consider the following points when determining whether setting up a ZFS log device is appropriate foryour environment:

• Any performance improvement seen by implementing a separate log device depends on the device type,the hardware configuration of the pool, and the application workload. For preliminary performanceinformation, see this blog:

http://blogs.oracle.com/perrin/entry/slog_blog_or_blogging_on

• Log devices can be unreplicated or mirrored, but RAIDZ is not supported for log devices.

• If a separate log device is not mirrored and the device that contains the log fails, storing log blocksreverts to the storage pool.

• Log devices can be added, replaced, attached, detached, and imported and exported as part of the largerstorage pool. Currently, log devices cannot be removed.

• The minimum size of a log device is the same as the minimum size of device in pool, which is 64Mbytes. The amount of in-play data that might be stored on a log device is relatively small. Log blocksare freed when the log transaction (system call) is committed.

• The maximum size of a log device should be approximately 1/2 the size of physical memory becausethat is the maximum amount of potential in-play data that can be stored. For example, if a system has 16Gbytes of physical memory, consider a maximum log device size of 8 Gbytes.

Creating Intermediate ZFS Datasets

Solaris Express Developer Edition 9/07: You can use the -p option with the zfs create, zfs clone, andzfs rename commands to quickly create a non-existent intermediate dataset, if it doesn’t already exist.

For example, create ZFS datasets (users/area51) in the datab storage pool.# zfs listNAME USED AVAIL REFER MOUNTPOINTdatab 106K 16.5G 18K /datab# zfs create -p -o compression=on datab/users/area51

If the intermediate dataset exists during the create operation, the operation completes successfully.

Properties specified apply to the target dataset, not to the intermediate datasets. For example:# zfs get mountpoint,compression datab/users/area51NAME PROPERTY VALUE SOURCEdatab/users/area51 mountpoint /datab/users/area51 defaultdatab/users/area51 compression on local

The intermediate dataset is created with the default mount point. Any additional properties are disabledfor the intermediate dataset. For example:# zfs get mountpoint,compression datab/usersNAME PROPERTY VALUE SOURCEdatab/users mountpoint /datab/users defaultdatab/users compression off default

For more information, see zfs(1M).

9


ZFS Hotplugging Enhancements

Solaris Express Developer Edition 9/07: In this release, ZFS more effectively responds to devicesthat are removed and provides a mechanism to automatically identify devices that are inserted with thefollowing enhancements:

• You can replace an existing device with an equivalent device without having to use the zpool replacecommand.

The autoreplace property controls automatic device replacement. If set to off, device replacementmust be initiated by the administrator by using the zpool replace command. If set to on, any new device,found in the same physical location as a device that previously belonged to the pool, is automaticallyformatted and replaced. The default behavior is off.

• The storage pool state REMOVED is provided when a device or hot spare has been removed if the devicewas physically removed while the system was running. A hot-spare device is substituted for the removeddevice, if available.

• If a device is removed and then inserted, the device is placed online. If a hot-spare was activated whenthe device is re-inserted, the spare is removed when the online operation completes.

• Automatic detection when devices are removed or inserted is hardware-dependent and might not besupported on all platforms. For example, USB devices are automatically configured upon inserted.However, you might have to use the cfgadm -c configure command to configure a SATA drive.

• Hot spares are checked periodically to make sure they are online and available.

For more information, see zpool(1M).

Recursively Renaming ZFS Snapshots (zfs rename -r)

Solaris Express Developer Edition 5/07: You can recursively rename all descendent ZFS snapshots byusing the zfs rename -r command.

For example, snapshot a set of ZFS file systems.

# zfs snapshot -r users/home@today# zfs listNAME USED AVAIL REFER MOUNTPOINTusers 216K 16.5G 20K /usersusers/home 76K 16.5G 22K /users/homeusers/home@today 0 - 22K -users/home/markm 18K 16.5G 18K /users/home/markmusers/home/markm@today 0 - 18K -users/home/marks 18K 16.5G 18K /users/home/marksusers/home/marks@today 0 - 18K -users/home/neil 18K 16.5G 18K /users/home/neilusers/home/neil@today 0 - 18K -

Then, rename the snapshots the following day.

# zfs rename -r users/home@today @yesterday# zfs listNAME USED AVAIL REFER MOUNTPOINTusers 216K 16.5G 20K /users

10


users/home 76K 16.5G 22K /users/homeusers/home@yesterday 0 - 22K -users/home/markm 18K 16.5G 18K /users/home/markmusers/home/markm@yesterday 0 - 18K -users/home/marks 18K 16.5G 18K /users/home/marksusers/home/marks@yesterday 0 - 18K -users/home/neil 18K 16.5G 18K /users/home/neilusers/home/neil@yesterday 0 - 18K -

Snapshots are the only dataset that can be renamed recursively. For more information about snapshots, seeSection 6.1.

GZIP Compression is Available for ZFS

Solaris Express Developer Edition 5/07: In this Solaris release, you can set gzip compression on ZFSfile systems in addition to lzjb compression. You can specify compression as gzip, the default, orgzip-N , where N equals 1 through 9. For example:

# zfs create -o compression=gzip users/home/snapshots# zfs get compression users/home/snapshotsNAME PROPERTY VALUE SOURCEusers/home/snapshots compression gzip local# zfs create -o compression=gzip-9 users/home/oldfiles# zfs get compression users/home/oldfilesNAME PROPERTY VALUE SOURCEusers/home/oldfiles compression gzip-9 local

For more information about setting ZFS properties, see Section 5.4.

Storing Multiple Copies of ZFS User Data

Solaris Express Developer Edition 5/07: As a reliability feature, ZFS file system metadata is automati-cally stored multiple times across different disks, if possible. This feature is known as ditto blocks.

In this Solaris release, you can specify that multiple copies of user data is also stored per file system byusing the zfs set copies command. For example:

# zfs set copies=2 users/home# zfs get copies users/homeNAME PROPERTY VALUE SOURCEusers/home copies 2 local

Available values are 1, 2, or 3. The default value is 1. These copies are in addition to any pool-levelredundancy, such as in a mirrored or RAID-Z configuration.

The benefits of storing multiple copies of ZFS user data are as follows:

• Improves data retention by allowing recovery from unrecoverable block read faults, such as media faults(bit rot) for all ZFS configurations.

• Provides data protection even in the case where only a single disk is available.

• Allows you to select data protection policies on a per-file system basis, beyond the capabilities of thestorage pool.

11


Depending on the allocation of the ditto blocks in the storage pool, multiple copies might be placed on asingle disk. A subsequent full disk failure might cause all ditto blocks to be unavailable.

You might consider using ditto blocks when you accidentally create a non-redundant pool and when youneed to set data retention policies.

For a detailed description of how setting copies on a system with a single-disk pool or a multiple-diskpool might impact overall data protection, see this blog entry. For more information about setting ZFSproperties, see Section 5.4.

Improved zpool status Output

Solaris Express 1/07: You can use the zpool status -v command to display a list of files with persistenterrors. Previously, you had to use the find -inum command to identify the filenames from the list ofdisplayed inodes.

For more information about displaying a list of files with persistent errors, see Section 10.7.

ZFS and Solaris iSCSI Improvements

Solaris Express, Developer Edition 2/07: In this Solaris release, you can create a ZFS volume as aSolaris iSCSI target device by setting the shareiscsi property on the ZFS volume. This method is aconvenient way to quickly set up a Solaris iSCSI target. For example:

# zfs create -V 2g tank/volumes/v2# zfs set shareiscsi=on tank/volumes/v2# iscsitadm list targetTarget: tank/volumes/v2

iSCSI Name: iqn.1986-03.com.sun:02:984fe301-c412-ccc1-cc80-cf9a72aa062aConnections: 0

After the iSCSI target is created, set up the iSCSI initiator. For information about setting up a Solaris iSCSIinitiator, see Chapter 14, Configuring Solaris iSCSI Targets and Initiators (Tasks), in System AdministrationGuide: Devices and File Systems.

For more information about managing a ZFS volume as an iSCSI target, see Section 9.1.

Sharing ZFS File System Enhancements

Solaris Express, Developer Edition 2/07: In this Solaris release, the process of sharing file systemshas been improved. Although modifying system configuration files, such as /etc/dfs/dfstab, isunnecessary for sharing ZFS file systems, you can use the sharemgr command to manage ZFS shareproperties. The sharemgr command enables you to set and manage share properties on share groups. ZFSshares are automatically designated in the zfs share group.

As in previous releases, you can set the ZFS sharenfs property on a ZFS file system to share a ZFS filesystem. For example:

# zfs set sharenfs=on tank/home

Or, you can use the new sharemgr add-share subcommand to share a ZFS file system in the zfs sharegroup. For example:

12


# sharemgr add-share -s tank/data zfs# sharemgr show -vp zfszfs nfs=()

zfs/tank/data/tank/data/tank/data/1/tank/data/2/tank/data/3

Then, you can use the sharemgr command to manage ZFS shares. The following example shows how touse sharemgr to set the nosuid property on the shared ZFS file systems. You must preface ZFS sharepaths with /zfs designation.

# sharemgr set -P nfs -p nosuid=true zfs/tank/data# sharemgr show -vp zfszfs nfs=()

zfs/tank/data nfs=(nosuid="true")/tank/data/tank/data/1/tank/data/2/tank/data/3

For more information, see sharemgr(1M).

ZFS Command History (zpool history)

Solaris Express 12/06: In this Solaris release, ZFS automatically logs successful zfs and zpool commandsthat modify pool state information. For example:

# zpool historyHistory for ’newpool’:2007-04-25.11:37:31 zpool create newpool mirror c0t8d0 c0t10d02007-04-25.11:37:46 zpool replace newpool c0t10d0 c0t9d02007-04-25.11:38:04 zpool attach newpool c0t9d0 c0t11d02007-04-25.11:38:09 zfs create newpool/user12007-04-25.11:38:15 zfs destroy newpool/user1

History for ’tank’:2007-04-25.11:46:28 zpool create tank mirror c1t0d0 c2t0d0 mirror c3t0d0 c4t0d0

This features enables you or Sun support personnel to identify the exact set of ZFS commands that wasexecuted to troubleshoot an error scenario.

You can identify a specific storage pool with the zpool history command. For example:

# zpool history newpoolHistory for ’newpool’:History for ’newpool’:2007-04-25.11:37:31 zpool create newpool mirror c0t8d0 c0t10d02007-04-25.11:37:46 zpool replace newpool c0t10d0 c0t9d02007-04-25.11:38:04 zpool attach newpool c0t9d0 c0t11d02007-04-25.11:38:09 zfs create newpool/user12007-04-25.11:38:15 zfs destroy newpool/user1

The features of the history log are as follows:

13


• The log cannot be disabled.

• The log is saved persistently on disk, which means the log is saved across system reboots.

• The log is implemented as a ring buffer. The minimum size is 128 Kbytes. The maximum size is 32Mbytes.

• For smaller pools, the maximum size is capped at 1% of the pool size, where size is determined atpool creation time.

• Requires no administration, which means tuning the size of the log or changing the location of the log isunnecessary.

Currently, the zpool history command does not record user-ID, hostname, or zone-name.

For more information about troubleshooting ZFS problems, see Section 10.3.

ZFS Property Improvements

ZFS xattr Property

Solaris Express 1/07: You can use the xattr property to disable or enable extended attributes for aspecific ZFS file system. The default value is on. For a description of ZFS properties, see Section 5.2.

ZFS canmount Property

Solaris Express 10/06: The new canmount property allows you to specify whether a dataset can bemounted by using the zfs mount command. For more information, see Section 5.2.

ZFS User Properties

Solaris Express 10/06: In addition to the standard native properties that can either export internal statisticsor control ZFS file system behavior, ZFS supports user properties. User properties have no effect onZFS behavior, but you can use them to annotate datasets with information that is meaningful in yourenvironment.


Setting Properties When Creating ZFS File Systems

Solaris Express 10/06: In this Solaris release, you can set properties when you create a file system, inaddition to setting properties after the file system is created.

The following examples illustrate equivalent syntax:

# zfs create tank/home# zfs set mountpoint=/export/zfs tank/home# zfs set sharenfs=on tank/home# zfs set compression=on tank/home

# zfs create -o mountpoint=/export/zfs -o sharenfs=on -o compression=on tank/home

14


Displaying All ZFS File System Information

Solaris Express 10/06: In this Solaris release, you can use various forms of the zfs get command todisplay information about all datasets if you do not specify a dataset. In previous releases, all datasetinformation was not retreivable with the zfs get command.

For example:

# zfs get -s local alltank/home atime off localtank/home/bonwick atime off localtank/home/marks quota 50G local

New zfs receive -F Option

Solaris Express 10/06: In this Solaris release, you can use the new -F option to the zfs receive commandto force a rollback of the file system to the most recent snapshot before doing the receive. Using thisoption might be necessary when the file system is modified between the time a rollback occurs and thereceive is initiated.


Recursive ZFS Snapshots

Solaris Express 8/06: When you use the zfs snapshot command to create a file system snapshot, you canuse the -r option to recursively create snapshots for all descendent file systems. In addition, using the -roption recursively destroys all descendent snapshots when a snapshot is destroyed.

Recursive ZFS snapshots are created quickly as one atomic operation. The snapshots are created together(all at once) or not created at all. The benefit of atomic snapshots operations is that the snapshot data isalways taken at one consistent time, even across descendent file systems.


Double Parity RAID-Z (raidz2)

Solaris Express 7/06: A redundant RAID-Z configuration can now have either single- or double-parity,which means that one or two device failures can be sustained respectively, without any data loss. You canspecify the raidz2 keyword for a double-parity RAID-Z configuration. Or, you can specify the raidzor raidz1 keyword for a single-parity RAID-Z configuration.

For more information, see Section 4.3 or zpool(1M).

Hot Spares for ZFS Storage Pool Devices

Solaris Express 7/06: The ZFS hot spares feature enables you to identify disks that could be used toreplace a failed or faulted device in one or more storage pools. Designating a device as a hot spare meansthat if an active device in the pool fails, the hot spare automatically replaces the failed device. Or, you canmanually replace a device in a storage pool with a hot spare.

For more information, see Section 4.4 and zpool(1M).

15


Replacing a ZFS File System With a ZFS Clone (zfs promote)

Solaris Express 7/06: The zfs promote command enables you to replace an existing ZFS file systemwith a clone of that file system. This feature is helpful when you want to run tests on an alternative versionof a file system and then, make that alternative version of the file system the active file system.

For more information, see Section 6.2 and zfs(1M).

Upgrading ZFS Storage Pools (zpool upgrade)

Solaris Express 6/06: You can upgrade your storage pools to a newer version to take advantage of thelatest features by using the zpool upgrade command. In addition, the zpool status command has beenmodified to notify you when your pools are running older versions.

For more information, see Section 4.7 and zpool(1M).

If you want to use the ZFS Administration console on a system with a pool from a previous Solaris release,make sure you upgrade your pools before using the ZFS Administration console. To see if your pools needto be upgraded, use the zpool status command. For information about the ZFS Administration console,see Section 1.1.

Using ZFS to Clone Non-Global Zones and Other Enhancements

Solaris Express 6/06: When the source zonepath and the target zonepath both reside on ZFS andare in the same pool, zoneadm clone now automatically uses the ZFS clone feature to clone a zone. Thisenhancement means that zoneadm clone will take a ZFS snapshot of the source zonepath and set upthe target zonepath. The snapshot is named SUNWzoneX, where X is a unique ID used to distinguishbetween multiple snapshots. The destination zone’s zonepath is used to name the ZFS clone. A softwareinventory is performed so that a snapshot used at a future time can be validated by the system. Note thatyou can still specify that the ZFS zonepath be copied instead of the ZFS clone, if desired.

To clone a source zone multiple times, a new parameter added to zoneadm allows you to specify that anexisting snapshot should be used. The system validates that the existing snapshot is usable on the target.Additionally, the zone install process now has the capability to detect when a ZFS file system can becreated for a zone, and the uninstall process can detect when a ZFS file system in a zone can be destroyed.These steps are then performed automatically by the zoneadm command.

Keep the following points in mind when using ZFS on a system with containers:

• Do not use the ZFS snapshot features to clone a zone

• You can delegate or a add a ZFS file system to a non-global zone. For more information, see Section 9.2or Section 9.2.

• Do not use a ZFS file system for a global zone root path or a non-global zone root path in the Solaris10 releases. You can use ZFS as a zone root path in the Solaris Express releases, but keep in mind thatpatching or upgrading these zones is not supported.

For more information, see System Administration Guide: Virtualization Using the Solaris OperatingSystem.

16


ZFS Backup and Restore Commands are Renamed

Solaris Express 5/06: In this Solaris release, the zfs backup and zfs restore commands are renamed tozfs send and zfs receive to more accurately describe their function. The function of these commands is tosave and restore ZFS data stream representations.

For more information about these commands, see Section 6.3.

Recovering Destroyed Storage Pools

Solaris Express 5/06: This release includes the zpool import -D command, which enables you to recoverpools that were previously destroyed with the zpool destroy command.


ZFS is Integrated With Fault Manager

Solaris Express 4/06: This release includes the integration of a ZFS diagnostic engine that is capableof diagnosing and reporting pool failures and device failures. Checksum, I/O, device, and pool errorsassociated with pool or device failures are also reported.

The diagnostic engine does not include predictive analysis of checksum and I/O errors, nor does it includeproactive actions based on fault analysis.

In the event of the ZFS failure, you might see a message similar to the following from fmd:SUNW-MSG-ID: ZFS-8000-D3, TYPE: Fault, VER: 1, SEVERITY: MajorEVENT-TIME: Fri Mar 10 11:09:06 MST 2006PLATFORM: SUNW,Ultra-60, CSN: -, HOSTNAME: neoSOURCE: zfs-diagnosis, REV: 1.0EVENT-ID: b55ee13b-cd74-4dff-8aff-ad575c372ef8DESC: A ZFS device failed. Refer to http://illumos.org/msg/ZFS-8000-D3 for more information.AUTO-RESPONSE: No automated response will occur.IMPACT: Fault tolerance of the pool may be compromised.REC-ACTION: Run ’zpool status -x’ and replace the bad device.

By reviewing the recommended action, which will be to follow the more specific directions in the zpoolstatus command, you will be able to quickly identify and resolve the failure.

For an example of recovering from a reported ZFS problem, see Section 10.5.

New zpool clear Command

Solaris Express 4/06: This release includes the zpool clear command for clearing error counts associatedwith a device or the pool. Previously, error counts were cleared when a device in a pool was brought onlinewith the zpool online command. For more information, see zpool(1M) and Section 4.4.

Compact NFSv4 ACL Format

Solaris Express 4/06: In this release, three NFSv4 ACL formats are available: verbose, positional, andcompact. The new compact and positional ACL formats are available to set and display ACLs. You canuse the chmod command to set all 3 ACL formats. You can use the ls -V command to display compactand positional ACL formats and the ls -v command to display verbose ACL formats.

For more information, see Section 7.4, chmod(1), and ls(1).

17


File System Monitoring Tool (fsstat)

Solaris Express 4/06: A new file system monitoring tool, fsstat, is available to report file system oper-ations. Activity can be reported by mount point or by file system type. The following example showsgeneral ZFS file system activity.

$ fsstat zfsnew name name attr attr lookup rddir read read write writefile remov chng get set ops ops ops bytes ops bytes7.82M 5.92M 2.76M 1.02G 3.32M 5.60G 87.0M 363M 1.86T 20.9M 251G zfs

For more information, see fsstat(1M).

ZFS Web-Based Management

Solaris Express 1/06: A web-based ZFS management tool is available to perform many administrativeactions. With this tool, you can perform the following tasks:

• Create a new storage pool.

• Add capacity to an existing pool.

• Move (export) a storage pool to another system.

• Import a previously exported storage pool to make it available on another system.

• View information about storage pools.

• Create a file system.

• Create a volume.

• Take a snapshot of a file system or a volume.

• Roll back a file system to a previous snapshot.

You can access the ZFS Administration console through a secure web browser at the following URL:

https://system-name:6789/zfs

If you type the appropriate URL and are unable to reach the ZFS Administration console, the server mightnot be started. To start the server, run the following command:

# /usr/sbin/smcwebserver start

If you want the server to run automatically when the system boots, run the following command:

# /usr/sbin/smcwebserver enable

NoteYou cannot use the Solaris Management Console (smc) to manage ZFS storage pools or file systems.

18

1.2. What Is ZFS?

You will not be able to manage ZFS file systems remotely with the ZFS Administration console becauseof a change in a recent Solaris release, which shutdown some network services automatically. Use thefollowing command to enable these services:

# netservices open

1.2 What Is ZFS?

The ZFS file system is a revolutionary new file system that fundamentally changes the way file systemsare administered, with features and benefits not found in any other file system available today. ZFS hasbeen designed to be robust, scalable, and simple to administer.

ZFS Pooled Storage

ZFS uses the concept of storage pools to manage physical storage. Historically, file systems were con-structed on top of a single physical device. To address multiple devices and provide for data redundancy,the concept of a volume manager was introduced to provide the image of a single device so that filesystems would not have to be modified to take advantage of multiple devices. This design added anotherlayer of complexity and ultimately prevented certain file system advances, because the file system had nocontrol over the physical placement of data on the virtualized volumes.

ZFS eliminates the volume management altogether. Instead of forcing you to create virtualized volumes,ZFS aggregates devices into a storage pool. The storage pool describes the physical characteristics of thestorage (device layout, data redundancy, and so on,) and acts as an arbitrary data store from which filesystems can be created. File systems are no longer constrained to individual devices, allowing them toshare space with all file systems in the pool. You no longer need to predetermine the size of a file system,as file systems grow automatically within the space allocated to the storage pool. When new storage isadded, all file systems within the pool can immediately use the additional space without additional work.In many ways, the storage pool acts as a virtual memory system. When a memory DIMM is added to asystem, the operating system doesn’t force you to invoke some commands to configure the memory andassign it to individual processes. All processes on the system automatically use the additional memory.

Transactional Semantics

ZFS is a transactional file system, which means that the file system state is always consistent on disk.Traditional file systems overwrite data in place, which means that if the machine loses power, for example,between the time a data block is allocated and when it is linked into a directory, the file system will beleft in an inconsistent state. Historically, this problem was solved through the use of the fsck command.This command was responsible for going through and verifying file system state, making an attemptto repair any inconsistencies in the process. This problem caused great pain to administrators and wasnever guaranteed to fix all possible problems. More recently, file systems have introduced the conceptof journaling. The journaling process records action in a separate journal, which can then be replayedsafely if a system crash occurs. This process introduces unnecessary overhead, because the data needs tobe written twice, and often results in a new set of problems, such as when the journal can’t be replayedproperly.

With a transactional file system, data is managed using copy on write semantics. Data is never overwritten,and any sequence of operations is either entirely committed or entirely ignored. This mechanism means

19


that the file system can never be corrupted through accidental loss of power or a system crash. So, no needfor a fsck equivalent exists. While the most recently written pieces of data might be lost, the file systemitself will always be consistent. In addition, synchronous data (written using the O_DSYNC flag) is alwaysguaranteed to be written before returning, so it is never lost.

Checksums and Self-Healing Data

With ZFS, all data and metadata is checksummed using a user-selectable algorithm. Traditional file systemsthat do provide checksumming have performed it on a per-block basis, out of necessity due to the volumemanagement layer and traditional file system design. The traditional design means that certain failuremodes, such as writing a complete block to an incorrect location, can result in properly checksummed datathat is actually incorrect. ZFS checksums are stored in a way such that these failure modes are detectedand can be recovered from gracefully. All checksumming and data recovery is done at the file systemlayer, and is transparent to applications.

In addition, ZFS provides for self-healing data. ZFS supports storage pools with varying levels of dataredundancy, including mirroring and a variation on RAID-5. When a bad data block is detected, ZFSfetches the correct data from another redundant copy, and repairs the bad data, replacing it with the goodcopy.

Unparalleled Scalability

ZFS has been designed from the ground up to be the most scalable file system, ever. The file system itselfis 128-bit, allowing for 256 quadrillion zettabytes of storage. All metadata is allocated dynamically, sono need exists to pre-allocate inodes or otherwise limit the scalability of the file system when it is firstcreated. All the algorithms have been written with scalability in mind. Directories can have up to 248 (256trillion) entries, and no limit exists on the number of file systems or number of files that can be containedwithin a file system.

ZFS Snapshots

A snapshot is a read-only copy of a file system or volume. Snapshots can be created quickly and easily.Initially, snapshots consume no additional space within the pool.

As data within the active dataset changes, the snapshot consumes space by continuing to reference the olddata. As a result, the snapshot prevents the data from being freed back to the pool.

Simplified Administration

Most importantly, ZFS provides a greatly simplified administration model. Through the use of hierarchicalfile system layout, property inheritance, and automanagement of mount points and NFS share semantics,ZFS makes it easy to create and manage file systems without needing multiple commands or editingconfiguration files. You can easily set quotas or reservations, turn compression on or off, or manage mountpoints for numerous file systems with a single command. Devices can be examined or repaired withouthaving to understand a separate set of volume manager commands. You can take an unlimited number ofinstantaneous snapshots of file systems. You can backup and restore individual file systems.

ZFS manages file systems through a hierarchy that allows for this simplified management of propertiessuch as quotas, reservations, compression, and mount points. In this model, file systems become the

20

1.3. ZFS Terminology

central point of control. File systems themselves are very cheap (equivalent to a new directory), so you areencouraged to create a file system for each user, project, workspace, and so on. This design allows you todefine fine-grained management points.

1.3 ZFS Terminology

This section describes the basic terminology used throughout this book:

checksumA 256-bit hash of the data in a file system block. The checksum capability can range from the simpleand fast fletcher2 (the default) to cryptographically strong hashes such as SHA256.

cloneA file system whose initial contents are identical to the contents of a snapshot.

For information about clones, see Section 6.2.

datasetA generic name for the following ZFS entities: clones, file systems, snapshots, or volumes.

Each dataset is identified by a unique name in the ZFS namespace. Datasets are identified using thefollowing format:

pool/path[@snapshot]

poolIdentifies the name of the storage pool that contains the dataset

pathIs a slash-delimited path name for the dataset object

snapshotIs an optional component that identifies a snapshot of a dataset

For more information about datasets, see Chapter 5.

file systemA dataset that contains a standard POSIX file system.

For more information about file systems, see Chapter 5.

mirrorA virtual device that stores identical copies of data on two or more disks. If any disk in a mirrorfails, any other disk in that mirror can provide the same data.

pool A logical group of devices describing the layout and physical characteristics of the available storage.Space for datasets is allocated from a pool.

For more information about storage pools, see Chapter 4.

RAID-ZA virtual device that stores data and parity on multiple disks, similar to RAID-5. For more informa-tion about RAID-Z, see Section 4.2.

21


resilveringThe process of transferring data from one device to another device is known as resilvering. Forexample, if a mirror component is replaced or taken offline, the data from the up-to-date mirrorcomponent is copied to the newly restored mirror component. This process is referred to as mirrorresynchronization in traditional volume management products.

For more information about ZFS resilvering, see Section 10.6.

snapshotA read-only image of a file system or volume at a given point in time.

For more information about snapshots, see Section 6.1.

virtual deviceA logical device in a pool, which can be a physical device, a file, or a collection of devices.

For more information about virtual devices, see Section 4.1.

volumeA dataset used to emulate a physical device. For example, you can create an ZFS volume as a swapdevice.

For more information about ZFS volumes, see Section 9.1.

1.4 ZFS Component Naming Requirements

Each ZFS component must be named according to the following rules:

• Empty components are not allowed.

• Each component can only contain alphanumeric characters in addition to the following four specialcharacters:

– Underscore (_)

– Hyphen (-)

– Colon (:)

– Period (.)

• Pool names must begin with a letter, except for the following restrictions:

– The beginning sequence c[0-9] is not allowed

– The name log is reserved

– A name that begins with mirror, raidz, or spare is not allowed because these name are reserved.

In addition, pool names must not contain a percent sign (%)

• Dataset names must begin with an alphanumeric character. Dataset names must not contain a percentsign (%).

22

Chapter 2

Getting Started With ZFS

This chapter provides step-by-step instructions on setting up simple ZFS configurations. By the end ofthis chapter, you should have a basic idea of how the ZFS commands work, and should be able to createsimple pools and file systems. This chapter is not designed to be a comprehensive overview and refers tolater chapters for more detailed information.


• Section 2.1

• Section 2.2

• Section 2.3

• Section 2.4

2.1 ZFS Hardware and Software Requirements and Recommendations

Make sure you review the following hardware and software requirements and recommendations beforeattempting to use the ZFS software:

• A SPARC™ or x86 system that is running the Solaris™ Nevada release, build 27 or later.

• The minimum disk size is 128 Mbytes. The minimum amount of disk space required for a storage poolis approximately 64 Mbytes.

• Currently, the minimum amount of memory recommended to install a Solaris system is 512 Mbytes.However, for good ZFS performance, at least one Gbyte or more of memory is recommended.

• If you create a mirrored disk configuration, multiple controllers are recommended.

2.2 Creating a Basic ZFS File System

ZFS administration has been designed with simplicity in mind. Among the goals of the ZFS design is toreduce the number of commands needed to create a usable file system. When you create a new pool, a newZFS file system is created and mounted automatically.

23

2. GETTING STARTED WITH ZFS

The following example illustrates how to create a non-redundant storage pool named tank and a ZFS filesystem name tank in one command. Assume that the whole disk /dev/dsk/c1t0d0 is available foruse.

# zpool create tank c1t0d0

NoteThis command creates a non-redundant pool. A non-redundant pool configuration is not recommendedfor production environments even if the single storage object is presented from a hardware RAID arrayor from a software volume manager. ZFS can only detect errors in these configurations. ZFS cancorrects error in pool configurations with redundant data. For more information, about redundant ZFSpool configurations, see Section 4.2.

The new ZFS file system, tank, can use as much of the disk space on c1t0d0 as needed, and isautomatically mounted at /tank.

# mkfile 100m /tank/foo# df -h /tankFilesystem size used avail capacity Mounted ontank 80G 100M 80G 1% /tank

Within a pool, you will probably want to create additional file systems. File systems provide points ofadministration that allow you to manage different sets of data within the same pool.

The following example illustrates how to create a file system named fs in the storage pool tank. Assumethat the whole disk /dev/dsk/c1t0d0 is available for use.

# zpool create tank mirror c1t0d0 c2t0d0# zfs create tank/fs

The new ZFS file system, tank/fs, can use as much of the disk space on c1t0d0 as needed, and isautomatically mounted at /tank/fs.

# mkfile 100m /tank/fs/foo# df -h /tank/fsFilesystem size used avail capacity Mounted ontank/fs 80G 100M 80G 1% /tank/fs

In most cases, you will probably want to create and organize a hierarchy of file systems that matches yourorganizational needs. For more information about creating a hierarchy of ZFS file systems, see Section 2.4.

2.3 Creating a ZFS Storage Pool

The previous example illustrates the simplicity of ZFS. The remainder of this chapter demonstrates a morecomplete example similar to what you would encounter in your environment. The first tasks are to identifyyour storage requirements and create a storage pool. The pool describes the physical characteristics of thestorage and must be created before any file systems are created. How to Identify Storage Requirements forYour ZFS Storage Pool

24

2.3. Creating a ZFS Storage Pool

1. Determine available devices.

Before creating a storage pool, you must determine which devices will store your data. Thesedevices must be disks of at least 128 Mbytes in size, and they must not be in use by other parts ofthe operating system. The devices can be individual slices on a preformatted disk, or they can beentire disks that ZFS formats as a single large slice.

For the storage example used in [?task], assume that the whole disks /dev/dsk/c1t0d0 and/dev/dsk/c1t1d0 are available for use.

For more information about disks and how they are used and labeled, see Section 4.1.

2. Choose data replication.

ZFS supports multiple types of data replication, which determines what types of hardware failuresthe pool can withstand. ZFS supports nonredundant (striped) configurations, as well as mirroringand RAID-Z (a variation on RAID-5).

For the storage example used in [?task], basic mirroring of two available disks is used.

For more information about ZFS replication features, see Section 4.2.

How to Create a ZFS Storage Pool

1. Become root or assume an equivalent role with the appropriate ZFS rights profile.

For more information about the ZFS rights profiles, see Section 9.4.

2. Pick a pool name.

The pool name is used to identify the storage pool when you are using the zpool or zfs commands.Most systems require only a single pool, so you can pick any name that you prefer, provided itsatisfies the naming requirements outlined in Section 1.4.

3. Create the pool.

For example, create a mirrored pool that is named tank.

# zpool create tank mirror c1t0d0 c1t1d0

If one or more devices contains another file system or is otherwise in use, the command cannotcreate the pool.

For more information about creating storage pools, see Section 4.3.

For more information about how device usage is determined, see Section 4.3.

4. View the results.

You can determine if your pool was successfully created by using the zpool list command.

# zpool listNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 80G 137K 80G 0% ONLINE -

For more information about viewing pool status, see Section 4.6.

25

2. GETTING STARTED WITH ZFS

2.4 Creating a ZFS File System Hierarchy

After creating a storage pool to store your data, you can create your file system hierarchy. Hierarchies aresimple yet powerful mechanisms for organizing information. They are also very familiar to anyone whohas used a file system.

ZFS allows file systems to be organized into arbitrary hierarchies, where each file system has only a singleparent. The root of the hierarchy is always the pool name. ZFS leverages this hierarchy by supportingproperty inheritance so that common properties can be set quickly and easily on entire trees of file systems.How to Determine Your ZFS File System Hierarchy

1. Pick the file system granularity.

ZFS file systems are the central point of administration. They are lightweight and can be createdeasily. A good model to use is a file system per user or project, as this model allows properties,snapshots, and backups to be controlled on a per-user or per-project basis.

Two ZFS file systems, bonwick and billm, are created in [?task].

For more information on managing file systems, see Chapter 5.

2. Group similar file systems.

ZFS allows file systems to be organized into hierarchies so that similar file systems can be grouped.This model provides a central point of administration for controlling properties and administeringfile systems. Similar file systems should be created under a common name.

For the example in [?task], the two file systems are placed under a file system named home.

3. Choose the file system properties.

Most file system characteristics are controlled by using simple properties. These properties controla variety of behavior, including where the file systems are mounted, how they are shared, if they usecompression, and if any quotas are in effect.

For the example in [?task], all home directories are mounted at /export/zfs/user, are sharedby using NFS, and with compression enabled. In addition, a quota of 10 Gbytes on bonwick isenforced.

For more information about properties, see Section 5.2.

How to Create ZFS File Systems

1. Become root or assume an equivalent role with the appropriate ZFS rights profile.

For more information about the ZFS rights profiles, see Section 9.4.

2. Create the desired hierarchy.

In this example, a file system that acts as a container for individual file systems is created.

# zfs create tank/home

Next, individual file systems are grouped under the home file system in the pool tank.

3. Set the inherited properties.

After the file system hierarchy is established, set up any properties that should be shared among allusers:

26

2.4. Creating a ZFS File System Hierarchy

# zfs set mountpoint=/export/zfs tank/home# zfs set sharenfs=on tank/home# zfs set compression=on tank/home# zfs get compression tank/homeNAME PROPERTY VALUE SOURCEtank/home compression on local

A new feature is available that enables you to set file system properties when the file system iscreated. For example:

# zfs create -o mountpoint=/export/zfs -o sharenfs=on -o compression=on tank/home

For more information about properties and property inheritance, see Section 5.2.

4. Create the individual file systems.

Note that the file systems could have been created and then the properties could have been changedat the home level. All properties can be changed dynamically while file systems are in use.

# zfs create tank/home/bonwick# zfs create tank/home/billm

These file systems inherit their property settings from their parent, so they are automatically mountedat /export/zfs/user and are NFS shared. You do not need to edit the /etc/vfstab or/etc/dfs/dfstab file.

For more information about creating file systems, see Section 5.1.

For more information about mounting and sharing file systems, see Section 5.5.

5. Set the file system-specific properties.

In this example, user bonwick is assigned a quota of 10 Gbytes. This property places a limit onthe amount of space he can consume, regardless of how much space is available in the pool.

# zfs set quota=10G tank/home/bonwick

6. View the results.

View available file system information by using the zfs list command:

# zfs listNAME USED AVAIL REFER MOUNTPOINTtank 92.0K 67.0G 9.5K /tanktank/home 24.0K 67.0G 8K /export/zfstank/home/billm 8K 67.0G 8K /export/zfs/billmtank/home/bonwick 8K 10.0G 8K /export/zfs/bonwick

Note that the user bonwick only has 10 Gbytes of space available, while the user billm can usethe full pool (67 Gbytes).

For more information about viewing file system status, see Section 5.3.

For more information about how space is used and calculated, see Section 3.2.

27

Chapter 3

ZFS and Traditional File System Differences

This chapter discusses some significant differences between ZFS and traditional file systems. Under-standing these key differences can help reduce confusion when using traditional tools to interact withZFS.


• Section 3.1

• Section 3.2

• Section 3.2

• Section 3.3

• Section 3.4

• Section 3.5

3.1 ZFS File System Granularity

Historically, file systems have been constrained to one device so that the file systems themselves havebeen constrained to the size of the device. Creating and re-creating traditional file systems because of sizeconstraints are time-consuming and sometimes difficult. Traditional volume management products helpedmanage this process.

Because ZFS file systems are not constrained to specific devices, they can be created easily and quickly,similar to the way directories are created. ZFS file systems grow automatically within the space allocatedto the storage pool.

Instead of creating one file system, such as /export/home, to manage many user subdirectories, youcan create one file system per user. In addition, ZFS provides a file system hierarchy so that you can easilyset up and manage many file systems by applying properties that can be inherited by file systems containedwithin the hierarchy.

For an example of creating a file system hierarchy, see Section 2.4.

29

3. ZFS AND TRADITIONAL FILE SYSTEM DIFFERENCES

3.2 ZFS Space Accounting

ZFS is based on a concept of pooled storage. Unlike typical file systems, which are mapped to physicalstorage, all ZFS file systems in a pool share the available storage in the pool. So, the available spacereported by utilities such as df might change even when the file system is inactive, as other file systemsin the pool consume or release space. Note that the maximum file system size can be limited by usingquotas. For information about quotas, see Section 5.6. Space can be guaranteed to a file system by usingreservations. For information about reservations, see Section 5.6. This model is very similar to the NFSmodel, where multiple directories are mounted from the same file system (consider /home).

All metadata in ZFS is allocated dynamically. Most other file systems pre-allocate much of their metadata.As a result, an immediate space cost at file system creation for this metadata is required. This behavioralso means that the total number of files supported by the file systems is predetermined. Because ZFSallocates its metadata as it needs it, no initial space cost is required, and the number of files is limited onlyby the available space. The output from the df -g command must be interpreted differently for ZFS thanother file systems. The total files reported is only an estimate based on the amount of storage thatis available in the pool.

ZFS is a transactional file system. Most file system modifications are bundled into transaction groupsand committed to disk asynchronously. Until these modifications are committed to disk, they are termedpending changes. The amount of space used, available, and referenced by a file or file system does notconsider pending changes. Pending changes are generally accounted for within a few seconds. Evencommitting a change to disk by using fsync(3C) or O_SYNC does not necessarily guarantee that the spaceusage information is updated immediately.

Out of Space Behavior

File system snapshots are inexpensive and easy to create in ZFS. Most likely, snapshots will be commonin most ZFS environments. For information about ZFS snapshots, see Chapter 6.

The presence of snapshots can cause some unexpected behavior when you attempt to free space. Typically,given appropriate permissions, you can remove a file from a full file system, and this action results inmore space becoming available in the file system. However, if the file to be removed exists in a snapshotof the file system, then no space is gained from the file deletion. The blocks used by the file continue to bereferenced from the snapshot.

As a result, the file deletion can consume more disk space, because a new version of the directory needs tobe created to reflect the new state of the namespace. This behavior means that you can get an unexpectedENOSPC or EDQUOT when attempting to remove a file.

3.3 Mounting ZFS File Systems

ZFS is designed to reduce complexity and ease administration. For example, with existing file systemsyou must edit the /etc/vfstab file every time you add a new file system. ZFS has eliminated thisrequirement by automatically mounting and unmounting file systems according to the properties of thedataset. You do not need to manage ZFS entries in the /etc/vfstab file.

For more information about mounting and sharing ZFS file systems, see Section 5.5.

30

3.4. Traditional Volume Management

3.4 Traditional Volume Management

As described in Section 1.2, ZFS eliminates the need for a separate volume manager. ZFS operates onraw devices, so it is possible to create a storage pool comprised of logical volumes, either software orhardware. This configuration is not recommended, as ZFS works best when it uses raw physical devices.Using logical volumes might sacrifice performance, reliability, or both, and should be avoided.

3.5 The NFSv4 ACL Model

Older versions of Solaris supported an ACL implementation that was primarily based on the POSIX-draftspecification. The POSIX-draft based ACLs are used to protect UFS files, while a new ACL model basedon the NFSv4 specification is used to protect ZFS files.

The main differences of this ACL model are:

• Based on the NFSv4 specification and are similar to NT-style ACLs.

• Much more granular set of access privileges.

• Set and displayed with the chmod and ls commands rather than the setfacl and getfacl commands.

• Richer inheritance semantics for designating how access privileges are applied from directory tosubdirectories, and so on.

For more information about using ACLs with ZFS files, see Chapter 7.

31

Chapter 4

Managing ZFS Storage Pools

This chapter describes how to create and administer ZFS storage pools.


• Section 4.1

• Section 4.3

• Section 4.4

• Section 4.5

• Section 4.6

• Section 4.7

• Section 4.7

4.1 Components of a ZFS Storage Pool

The following sections provide detailed information about the following storage pool components:

• Section 4.1

• Section 4.1

• Section 4.1

Using Disks in a ZFS Storage Pool

The most basic element of a storage pool is a piece of physical storage. Physical storage can be any blockdevice of at least 128 Mbytes in size. Typically, this device is a hard drive that is visible to the system inthe /dev/dsk directory.

A storage device can be a whole disk (c1t0d0) or an individual slice (c0t0d0s7). The recommendedmode of operation is to use an entire disk, in which case the disk does not need to be specially formatted.ZFS formats the disk using an EFI label to contain a single, large slice. When used in this way, the partitiontable that is displayed by the format command appears similar to the following:

33

4. MANAGING ZFS STORAGE POOLS

Current partition table (original):Total disk sectors available: 71670953 + 16384 (reserved sectors)

Part Tag Flag First Sector Size Last Sector0 usr wm 34 34.18GB 716709531 unassigned wm 0 0 02 unassigned wm 0 0 03 unassigned wm 0 0 04 unassigned wm 0 0 05 unassigned wm 0 0 06 unassigned wm 0 0 07 unassigned wm 0 0 08 reserved wm 71670954 8.00MB 71687337

To use whole disks, the disks must be named using the standard Solaris convention, such as /dev/dsk/cXtXdXsX. Some third-party drivers use a different naming convention or place disks in a location otherthan the /dev/dsk directory. To use these disks, you must manually label the disk and provide a slice toZFS.

ZFS applies an EFI label when you create a storage pool with whole disks. Disks can be labeled with atraditional Solaris VTOC label when you create a storage pool with a disk slice.

Slices should only be used under the following conditions:

• The device name is nonstandard.

• A single disk is shared between ZFS and another file system, such as UFS.

• A disk is used as a swap or a dump device.

Disks can be specified by using either the full path, such as /dev/dsk/c1t0d0, or a shorthand namethat consists of the device name within the /dev/dsk directory, such as c1t0d0. For example, thefollowing are valid disk names:

• c1t0d0

• /dev/dsk/c1t0d0

• c0t0d6s2

• /dev/foo/disk

Using whole physical disks is the simplest way to create ZFS storage pools. ZFS configurations becomeprogressively more complex, from management, reliability, and performance perspectives, when youbuild pools from disk slices, LUNs in hardware RAID arrays, or volumes presented by software-basedvolume managers. The following considerations might help you determine how to configure ZFS withother hardware or software storage solutions:

• If you construct ZFS configurations on top of LUNs from hardware RAID arrays, you need to understandthe relationship between ZFS redundancy features and the redundancy features offered by the array.Certain configurations might provide adequate redundancy and performance, but other configurationsmight not.

34

4.2. Replication Features of a ZFS Storage Pool

• You can construct logical devices for ZFS using volumes presented by software-based volume managers,such as Solaris™ Volume Manager (SVM) or Veritas Volume Manager (VxVM). However, theseconfigurations are not recommended. While ZFS functions properly on such devices, less-than-optimalperformance might be the result.

For additional information about storage pool recommendations, see the ZFS best practices guide.

Disks are identified both by their path and by their device ID, if available. This method allows devicesto be reconfigured on a system without having to update any ZFS state. If a disk is switched betweencontroller 1 and controller 2, ZFS uses the device ID to detect that the disk has moved and should nowbe accessed using controller 2. The device ID is unique to the drive’s firmware. While unlikely, somefirmware updates have been known to change device IDs. If this situation happens, ZFS can still accessthe device by path and update the stored device ID automatically. If you inadvertently change both thepath and the ID of the device, then export and re-import the pool in order to use it.

Using Files in a ZFS Storage Pool

ZFS also allows you to use UFS files as virtual devices in your storage pool. This feature is aimed primarilyat testing and enabling simple experimentation, not for production use. The reason is that any use of filesrelies on the underlying file system for consistency. If you create a ZFS pool backed by files on a UFSfile system, then you are implicitly relying on UFS to guarantee correctness and synchronous semantics.

However, files can be quite useful when you are first trying out ZFS or experimenting with more com-plicated layouts when not enough physical devices are present. All files must be specified as completepaths and must be at least 64 Mbytes in size. If a file is moved or renamed, the pool must be exported andre-imported in order to use it, as no device ID is associated with files by which they can be located.

Identifying Virtual Devices in a Storage Pool

Each storage pool is comprised of one or more virtual devices. A virtual device is an internal representationof the storage pool that describes the layout of physical storage and its fault characteristics. As such, avirtual device represents the disk devices or files that are used to create the storage pool.

Two top-level virtual devices provide data redundancy: mirror and RAID-Z virtual devices. These virtualdevices consist of disks, disk slices, or files.

Disks, disk slices, or files that are used in pools outside of mirrors and RAID-Z virtual devices, functionas top-level virtual devices themselves.

Storage pools typically contain multiple top-level virtual devices. ZFS dynamically stripes data among allof the top-level virtual devices in a pool.

4.2 Replication Features of a ZFS Storage Pool

ZFS provides data redundancy, as well as self-healing properties, in a mirrored and a RAID-Z configuration.

• Section 4.2

• Section 4.2

• Section 4.2

• Section 4.2

35


Mirrored Storage Pool Configuration

A mirrored storage pool configuration requires at least two disks, preferably on separate controllers. Manydisks can be used in a mirrored configuration. In addition, you can create more than one mirror in eachpool. Conceptually, a simple mirrored configuration would look similar to the following:mirror c1t0d0 c2t0d0

Conceptually, a more complex mirrored configuration would look similar to the following:mirror c1t0d0 c2t0d0 c3t0d0 mirror c4t0d0 c5t0d0 c6t0d0

For information about creating a mirrored storage pool, see Section 4.3.

RAID-Z Storage Pool Configuration

In addition to a mirrored storage pool configuration, ZFS provides a RAID-Z configuration with eithersingle or double parity fault tolerance. Single-parity RAID-Z is similar to RAID-5. Double-parity RAID-Zis similar to RAID-6.

All traditional RAID-5-like algorithms (RAID-4. RAID-5. RAID-6, RDP, and EVEN-ODD, for example)suffer from a problem known as the “RAID-5 write hole.” If only part of a RAID-5 stripe is written,and power is lost before all blocks have made it to disk, the parity will remain out of sync with the data,and therefore useless, forever (unless a subsequent full-stripe write overwrites it). In RAID-Z, ZFS usesvariable-width RAID stripes so that all writes are full-stripe writes. This design is only possible becauseZFS integrates file system and device management in such a way that the file system’s metadata hasenough information about the underlying data redundancy model to handle variable-width RAID stripes.RAID-Z is the world’s first software-only solution to the RAID-5 write hole.

You need at least two disks for a RAID-Z configuration. Otherwise, no special hardware is required tocreate a RAID-Z configuration. Currently, RAID-Z provides single parity. For example, if you have threedisks in a RAID-Z configuration, parity data occupies space equal to one of the three disks.

A RAID-Z configuration with N disks of size X with P parity disks can hold approximately (N-P)*X bytesand can withstand P device(s) failing before data integrity is compromised. You need at least two disks for asingle-parity RAID-Z configuration and at least three disks for a double-parity RAID-Z configuration. Forexample, if you have three disks in a single-parity RAID-Z configuration, parity data occupies space equalto one of the three disks. Otherwise, no special hardware is required to create a RAID-Z configuration.

Conceptually, a RAID-Z configuration with three disks would look similar to the following:raidz c1t0d0 c2t0d0 c3t0d0

A more complex conceptual RAID-Z configuration would look similar to the following:raidz c1t0d0 c2t0d0 c3t0d0 c4t0d0 c5t0d0 c6t0d0 c7t0d0 raidz c8t0d0 c9t0d0 c10t0d0 c11t0d0c12t0d0 c13t0d0 c14t0d0

If you are creating a RAID-Z configuration with many disks, as in this example, a RAID-Z configurationwith 14 disks is better split into a two 7-disk groupings. RAID-Z configurations with single-digit groupingsof disks should perform better.

For information about creating a RAID-Z storage pool, see Section 4.3.

For more information about choosing between a mirrored configuration or a RAID-Z configuration basedon performance and space considerations, see the blog post, When To (And Not To) Use RAID-Z. Foradditional information on RAID-Z storage pool recommendations, see the ZFS best practices guide.

36

4.3. Creating and Destroying ZFS Storage Pools

Self-Healing Data in a Redundant Configuration

ZFS provides for self-healing data in a mirrored or RAID-Z configuration.

When a bad data block is detected, not only does ZFS fetch the correct data from another redundant copy,but it also repairs the bad data by replacing it with the good copy.

Dynamic Striping in a Storage Pool

For each virtual device that is added to the pool, ZFS dynamically stripes data across all available devices.The decision about where to place data is done at write time, so no fixed width stripes are created atallocation time.

When virtual devices are added to a pool, ZFS gradually allocates data to the new device in order tomaintain performance and space allocation policies. Each virtual device can also be a mirror or a RAID-Zdevice that contains other disk devices or files. This configuration allows for flexibility in controlling thefault characteristics of your pool. For example, you could create the following configurations out of 4disks:

• Four disks using dynamic striping

• One four-way RAID-Z configuration

• Two two-way mirrors using dynamic striping

While ZFS supports combining different types of virtual devices within the same pool, this practice isnot recommended. For example, you can create a pool with a two-way mirror and a three-way RAID-Zconfiguration. However, your fault tolerance is as good as your worst virtual device, RAID-Z in this case.The recommended practice is to use top-level virtual devices of the same type with the same redundancylevel in each device.

4.3 Creating and Destroying ZFS Storage Pools

The following sections describe different scenarios for creating and destroying ZFS storage pools.

• Section 4.3

• Section 4.3

• Section 4.3

By design, creating and destroying pools is fast and easy. However, be cautious when doing these operations.Although checks are performed to prevent using devices known to be in use in a new pool, ZFS cannotalways know when a device is already in use. Destroying a pool is even easier. Use zpool destroy withcaution. This is a simple command with significant consequences.

Creating a ZFS Storage Pool

To create a storage pool, use the zpool create command. This command takes a pool name and anynumber of virtual devices as arguments. The pool name must satisfy the naming conventions outlined inSection 1.4.

37


Creating a Basic Storage Pool

The following command creates a new pool named tank that consists of the disks c1t0d0 and c1t1d0:

# zpool create tank c1t0d0 c1t1d0

These whole disks are found in the /dev/dsk directory and are labelled appropriately by ZFS to containa single, large slice. Data is dynamically striped across both disks.

Creating a Mirrored Storage Pool

To create a mirrored pool, use the mirror keyword, followed by any number of storage devices thatwill comprise the mirror. Multiple mirrors can be specified by repeating the mirror keyword on thecommand line. The following command creates a pool with two, two-way mirrors:

# zpool create tank mirror c1d0 c2d0 mirror c3d0 c4d0

The second mirror keyword indicates that a new top-level virtual device is being specified. Data isdynamically striped across both mirrors, with data being redundant between each disk appropriately.

Currently, the following operations are supported on a ZFS mirrored configuration:

• Adding another set of disks for an additional top-level vdev to an existing mirrored configuration. Formore information, see Section 4.4.

• Attaching additional disks to an existing mirrored configuration. Or, attaching additional disks to anon-replicated configuration to create a mirrored configuration. For more information, see Section 4.4.

• Replace a disk or disks in an existing mirrored configuration as long as the replacement disks are greaterthan or equal to the device to be replaced. For more information, see Section 4.4.

• Detach a disk or disk in a mirrored configuration as long as the remaining devices provide adequateredundancy for the configuration. For more information, see Section 4.4.

Currently, the following operations are not supported on a mirrored configuration:

• You cannot outright remove a device from a mirrored storage pool. An RFE is filed for this feature.

• You cannot split or break a mirror for backup purposes. An RFE is filed for this feature.

Creating RAID-Z Storage Pools

Creating a single-parity RAID-Z pool is identical to creating a mirrored pool, except that the raidz orraidz1 keyword is used instead of mirror. The following example shows how to create a pool with asingle RAID-Z device that consists of five disks:

# zpool create tank raidz c1t0d0 c2t0d0 c3t0d0 c4t0d0 /dev/dsk/c5t0d0

This example demonstrates that disks can be specified by using their full paths. The /dev/dsk/c5t0d0device is identical to the c5t0d0 device.

A similar configuration could be created with disk slices. For example:

38


# zpool create tank raidz c1t0d0s0 c2t0d0s0 c3t0d0s0 c4t0d0s0 c5t0d0s0

However, the disks must be preformatted to have an appropriately sized slice zero.

You can create a double-parity RAID-Z configuration by using the raidz2 keyword when the pool iscreated. For example:

# zpool create tank raidz2 c1t0d0 c2t0d0 c3t0d0# zpool status -v tankpool: tank


NAME STATE READ WRITE CKSUMtank ONLINE 0 0 0raidz2 ONLINE 0 0 0c1t0d0 ONLINE 0 0 0c2t0d0 ONLINE 0 0 0c3t0d0 ONLINE 0 0 0


Currently, the following operations are supported on a ZFS RAID-Z configuration:

• Add another set of disks for an additional top-level vdev to an existing RAID-Z configuration. Formore information, see Section 4.4.

• Replace a disk or disks in an existing RAID-Z configuration as long as the replacement disks are greaterthan or equal to the device to be replaced. For more information, see Section 4.4.

Currently, the following operations are not supported on a RAID-Z configuration:

• Attach an additional disk to an existing RAID-Z configuration.

• Detach a disk from a RAID-Z configuration.

• You cannot outright remove a device from a RAID-Z configuration. An RFE is filed for this feature.

For more information about a RAID-Z configuration, see Section 4.2.

Creating a ZFS Storage Pool with Log Devices

By default, the ZIL is allocated from blocks within the main pool. However, better performance might bepossible by using separate intent log devices, such as NVRAM or a dedicated disk. For more informationabout ZFS log devices, see Section 1.1.

You can set up a ZFS logging device when the storage pool is created or after the pool is created.

For example, create a mirrored storage pool with mirrored log devices.

39


# zpool create datap mirror c1t1d0 c1t2d0 mirror c1t3d0 c1t4d0 log mirror c1t5d0 c1t8d0# zpool statuspool: datap


NAME STATE READ WRITE CKSUMdatap ONLINE 0 0 0mirror ONLINE 0 0 0c1t1d0 ONLINE 0 0 0c1t2d0 ONLINE 0 0 0

mirror ONLINE 0 0 0c1t3d0 ONLINE 0 0 0c1t4d0 ONLINE 0 0 0

logs ONLINE 0 0 0mirror ONLINE 0 0 0c1t5d0 ONLINE 0 0 0c1t8d0 ONLINE 0 0 0


Creating a ZFS Storage Pool with Cache Devices

You can create a storage pool with cache devices to cache storage pool data. For example:

# zpool create tank mirror c2t0d0 c2t1d0 c2t3d0 cache c2t5d0 c2t8d0# zpool status tankpool: tank


NAME STATE READ WRITE CKSUMtank ONLINE 0 0 0mirror ONLINE 0 0 0c2t0d0 ONLINE 0 0 0c2t1d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0

cachec2t5d0 ONLINE 0 0 0c2t8d0 ONLINE 0 0 0

Review the following points when considering whether to create a ZFS storage pool with cache devices:

• Using cache devices provide the greatest performance improvement for random read-workloads ofmostly static content.

• Capacity and reads can be monitored by using the zpool iostat command.

• Single or multiple cache devices can be added when the pool is created or added and removed after thepool is created. For more information, see Example 4.3.

• Cache devices cannot be mirrored or be part of a RAID-Z configuration.

40


• If a read error is encountered on a cache device, that read I/O is reissued to the original storage pooldevice, which might be part of a mirrored or RAID-Z configuration. The content of the cache devices isconsidered volatile, as is the case with other system caches.

Handling ZFS Storage Pool Creation Errors

Pool creation errors can occur for many reasons. Some of these reasons are obvious, such as when aspecified device doesn’t exist, while other reasons are more subtle.

Detecting in Use Devices

Before formatting a device, ZFS first determines if the disk is in use by ZFS or some other part of theoperating system. If the disk is in use, you might see errors such as the following:

# zpool create tank c1t0d0 c1t1d0invalid vdev specificationuse ’-f’ to override the following errors:/dev/dsk/c1t0d0s0 is currently mounted on /. Please see umount(1M)./dev/dsk/c1t0d0s1 is currently mounted on swap. Please see swap(1M)./dev/dsk/c1t1d0s0 is part of active ZFS pool zeepool. Please see zpool(1M).

Some of these errors can be overridden by using the -f option, but most errors cannot. The followinguses cannot be overridden by using the -f option, and you must manually correct them:

Mounted file systemThe disk or one of its slices contains a file system that is currently mounted. To correct this error,use the umount command.

File system in /etc/vfstabThe disk contains a file system that is listed in the /etc/vfstab file, but the file system is notcurrently mounted. To correct this error, remove or comment out the line in the /etc/vfstabfile.

Dedicated dump deviceThe disk is in use as the dedicated dump device for the system. To correct this error, use thedumpadm command.

Part of a ZFS poolThe disk or file is part of an active ZFS storage pool. To correct this error, use the zpool commandto destroy the pool.

The following in-use checks serve as helpful warnings and can be overridden by using the -f option tocreate the pool:

Contains a file systemThe disk contains a known file system, though it is not mounted and doesn’t appear to be in use.

Part of volumeThe disk is part of an SVM volume.

41


Live upgradeThe disk is in use as an alternate boot environment for Solaris Live Upgrade.

Part of exported ZFS poolThe disk is part of a storage pool that has been exported or manually removed from a system. In thelatter case, the pool is reported as potentially active, as the disk might or might not be anetwork-attached drive in use by another system. Be cautious when overriding a potentially activepool.

The following example demonstrates how the -f option is used:

# zpool create tank c1t0d0invalid vdev specificationuse ’-f’ to override the following errors:/dev/dsk/c1t0d0s0 contains a ufs filesystem.# zpool create -f tank c1t0d0

Ideally, correct the errors rather than use the -f option.

Mismatched Replication Levels

Creating pools with virtual devices of different replication levels is not recommended. The zpool commandtries to prevent you from accidentally creating a pool with mismatched levels of redundancy. If you try tocreate a pool with such a configuration, you see errors similar to the following:

# zpool create tank c1t0d0 mirror c2t0d0 c3t0d0invalid vdev specificationuse ’-f’ to override the following errors:mismatched replication level: both disk and mirror vdevs are present# zpool create tank mirror c1t0d0 c2t0d0 mirror c3t0d0 c4t0d0 c5t0d0invalid vdev specificationuse ’-f’ to override the following errors:mismatched replication level: 2-way mirror and 3-way mirror vdevs are present

You can override these errors with the -f option, though this practice is not recommended. The commandalso warns you about creating a mirrored or RAID-Z pool using devices of different sizes. While thisconfiguration is allowed, mismatched levels of redundancy result in unused space on the larger device,and requires the -f option to override the warning.

Doing a Dry Run of Storage Pool Creation

Because creating a pool can fail unexpectedly in different ways, and because formatting disks is sucha potentially harmful action, the zpool create command has an additional option, -n, which simulatescreating the pool without actually writing data to disk. This option performs the device in-use checkingand replication level validation, and reports any errors in the process. If no errors are found, you see outputsimilar to the following:

# zpool create -n tank mirror c1t0d0 c1t1d0would create ’tank’ with the following layout:

tankmirrorc1t0d0c1t1d0

42


Some errors cannot be detected without actually creating the pool. The most common example is specifyingthe same device twice in the same configuration. This error cannot be reliably detected without writing thedata itself, so the create -n command can report success and yet fail to create the pool when run for real.

Default Mount Point for Storage Pools

When a pool is created, the default mount point for the root dataset is /pool-name. This directory musteither not exist or be empty. If the directory does not exist, it is automatically created. If the directory isempty, the root dataset is mounted on top of the existing directory. To create a pool with a different defaultmount point, use the -m option of the zpool create command:

# zpool create home c1t0d0default mountpoint ’/home’ exists and is not emptyuse ’-m’ option to specify a different default# zpool create -m /export/zfs home c1t0d0

# zpool create home c1t0d0default mountpoint ’/home’ exists and is not emptyuse ’-m’ option to provide a different default# zpool create -m /export/zfs home c1t0d0

This command creates a new pool home and the home dataset with a mount point of /export/zfs.

For more information about mount points, see Section 5.5.

Destroying ZFS Storage Pools

Pools are destroyed by using the zpool destroy command. This command destroys the pool even if itcontains mounted datasets.

# zpool destroy tank

CautionBe very careful when you destroy a pool. Make sure you are destroying the right pool and youalways have copies of your data. If you accidentally destroy the wrong pool, you can attempt torecover the pool. For more information, see Section 4.7.

Destroying a Pool With Faulted Devices

The act of destroying a pool requires that data be written to disk to indicate that the pool is no longer valid.This state information prevents the devices from showing up as a potential pool when you perform animport. If one or more devices are unavailable, the pool can still be destroyed. However, the necessarystate information won’t be written to these damaged devices.

These devices, when suitably repaired, are reported as potentially active when you create a new pool, andappear as valid devices when you search for pools to import. If a pool has enough faulted devices suchthat the pool itself is faulted (meaning that a top-level virtual device is faulted), then the command prints awarning and cannot complete without the -f option. This option is necessary because the pool cannot beopened, so whether data is stored there or not is unknown. For example:

43


# zpool destroy tankcannot destroy ’tank’: pool is faulteduse ’-f’ to force destruction anyway# zpool destroy -f tank

For more information about pool and device health, see Section 4.6.

For more information about importing pools, see Section 4.7.

4.4 Managing Devices in ZFS Storage Pools

Most of the basic information regarding devices is covered in Section 4.1. Once a pool has been created,you can perform several tasks to manage the physical devices within the pool.

• Section 4.4

• Section 4.4

• Section 4.4

• Section 4.4

• Section 4.4

• Section 4.4

Adding Devices to a Storage Pool

You can dynamically add space to a pool by adding a new top-level virtual device. This space is immediatelyavailable to all datasets within the pool. To add a new virtual device to a pool, use the zpool add command.For example:

# zpool add zeepool mirror c2t1d0 c2t2d0

The format of the virtual devices is the same as for the zpool create command, and the same rulesapply. Devices are checked to determine if they are in use, and the command cannot change the level ofredundancy without the -f option. The command also supports the -n option so that you can perform adry run. For example:

# zpool add -n zeepool mirror c3t1d0 c3t2d0would update ’zeepool’ to the following configuration:

zeepoolmirror

c1t0d0c1t1d0

mirrorc2t1d0c2t2d0

mirrorc3t1d0c3t2d0

44

4.4. Managing Devices in ZFS Storage Pools

This command syntax would add mirrored devices c3t1d0 and c3t2d0 to zeepool’s existing config-uration.

For more information about how virtual device validation is done, see Section 4.3.

Example 4.1: Adding Disks to a RAID-Z Configuration

Additional disks can be added similarly to a RAID-Z configuration. The following example shows how toconvert a storage pool with one RAID–Z device comprised of 3 disks to a storage pool with two RAID-Zdevices comprised of 3 disks.

# zpool statuspool: rpool


NAME STATE READ WRITE CKSUMrpool ONLINE 0 0 0raidz1 ONLINE 0 0 0c1t2d0 ONLINE 0 0 0c1t3d0 ONLINE 0 0 0c1t4d0 ONLINE 0 0 0

errors: No known data errors# zpool add rpool raidz c2t2d0 c2t3d0 c2t4d0# zpool statuspool: rpool


NAME STATE READ WRITE CKSUMrpool ONLINE 0 0 0raidz1 ONLINE 0 0 0c1t2d0 ONLINE 0 0 0c1t3d0 ONLINE 0 0 0c1t4d0 ONLINE 0 0 0

raidz1 ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0c2t4d0 ONLINE 0 0 0


Example 4.2: Adding a Mirrored Log Device to a ZFS Storage Pool

The following example shows how to add a mirrored log device to mirrored storage pool. For moreinformation about using log devices in your storage pool, see Section 1.1.

# zpool status newpoolpool: newpool


NAME STATE READ WRITE CKSUMnewpool ONLINE 0 0 0mirror ONLINE 0 0 0

45


c1t9d0 ONLINE 0 0 0c1t10d0 ONLINE 0 0 0

errors: No known data errors# zpool add newpool log mirror c1t11d0 c1t12d0# zpool status newpoolpool: newpool


NAME STATE READ WRITE CKSUMnewpool ONLINE 0 0 0mirror ONLINE 0 0 0c1t9d0 ONLINE 0 0 0c1t10d0 ONLINE 0 0 0

logs ONLINE 0 0 0mirror ONLINE 0 0 0c1t11d0 ONLINE 0 0 0c1t12d0 ONLINE 0 0 0


You can attach a log device to an existing log device to create a mirrored log device. This operation isidentical to attaching a device in a unmirrored storage pool.

Example 4.3: Adding and Removing Cache Devices to Your ZFS Storage Pool

You can add and remove cache devices to your ZFS storage pool.Use the zpool add command to add cache devices. For example:

# zpool add tank cache c2t5d0 c2t8d0# zpool status tankpool: tankstate: ONLINEscrub: none requested

config:


cachec2t5d0 ONLINE 0 0 0c2t8d0 ONLINE 0 0 0


Cache devices cannot be mirrored or be part of a RAID-Z configuration.Use the zpool remove command to remove cache devices. For example:

E zpool remove tank c2t5d0 c2t8d0# zpool status tankpool: tankstate: ONLINEscrub: none requested

config:

46




Currently, the zpool remove command only supports removing hot spares and cache devices. Devices thatare part of the main mirrored pool configuration can be removed by using the zpool detach command.Non-redundant and RAID-Z devices cannot be removed from a pool.For more information about using cache devices in a ZFS storage pool, see Section 4.3.

Attaching and Detaching Devices in a Storage Pool

In addition to the zpool add command, you can use the zpool attach command to add a new device to anexisting mirrored or non-mirrored device.

Example 4.4: Converting a Two-Way Mirrored Storage Pool to a Three-way Mirrored Storage Pool

In this example, zeepool is an existing two-way mirror that is transformed to a three-way mirror byattaching c2t1d0, the new device, to the existing device, c1t1d0.

# zpool statuspool: zeepool


NAME STATE READ WRITE CKSUMzeepool ONLINE 0 0 0mirror ONLINE 0 0 0c0t1d0 ONLINE 0 0 0c1t1d0 ONLINE 0 0 0

errors: No known data errors# zpool attach zeepool c1t1d0 c2t1d0# zpool statuspool: zeepool

state: ONLINEscrub: resilver completed with 0 errors on Fri Jan 12 14:47:36 2007config:

NAME STATE READ WRITE CKSUMzeepool ONLINE 0 0 0mirror ONLINE 0 0 0c0t1d0 ONLINE 0 0 0c1t1d0 ONLINE 0 0 0c2t1d0 ONLINE 0 0 0

If the existing device is part of a two-way mirror, attaching the new device, creates a three-way mirror,and so on. In either case, the new device begins to resilver immediately.

Example 4.5: Converting a Non-Redundant ZFS Storage Pool to a Mirrored ZFS Storage Pool

47


In addition, you can convert a non-redundant storage pool into a redundant storage pool by using the zpoolattach command. For example:# zpool create tank c0t1d0# zpool statuspool: tank


NAME STATE READ WRITE CKSUMtank ONLINE 0 0 0c0t1d0 ONLINE 0 0 0

errors: No known data errors# zpool attach tank c0t1d0 c1t1d0# zpool statuspool: tank

state: ONLINEscrub: resilver completed with 0 errors on Fri Jan 12 14:55:48 2007config:

NAME STATE READ WRITE CKSUMtank ONLINE 0 0 0mirror ONLINE 0 0 0c0t1d0 ONLINE 0 0 0c1t1d0 ONLINE 0 0 0

You can use the zpool detach command to detach a device from a mirrored storage pool. For example:# zpool detach zeepool c2t1d0

However, this operation is refused if there are no other valid replicas of the data. For example:# zpool detach newpool c1t2d0cannot detach c1t2d0: only applicable to mirror and replacing vdevs

Onlining and Offlining Devices in a Storage Pool

ZFS allows individual devices to be taken offline or brought online. When hardware is unreliable or notfunctioning properly, ZFS continues to read or write data to the device, assuming the condition is onlytemporary. If the condition is not temporary, it is possible to instruct ZFS to ignore the device by bringingit offline. ZFS does not send any requests to an offlined device.

NoteDevices do not need to be taken offline in order to replace them.

You can use the offline command when you need to temporarily disconnect storage. For example, if youneed to physically disconnect an array from one set of Fibre Channel switches and connect the array to adifferent set, you could take the LUNs offline from the array that was used in ZFS storage pools. After thearray was reconnected and operational on the new set of switches, you could then bring the same LUNsonline. Data that had been added to the storage pools while the LUNs were offline would resilver to theLUNs after they were brought back online.

This scenario is possible assuming that the systems in question see the storage once it is attached to thenew switches, possibly through different controllers than before, and your pools are set up as RAID-Z ormirrored configurations.

48


Taking a Device Offline

You can take a device offline by using the zpool offline command. The device can be specified by path orby short name, if the device is a disk. For example:

# zpool offline tank c1t0d0bringing device c1t0d0 offline

Keep the following points in mind when taking a device offline:

• You cannot take a pool offline to the point where it becomes faulted. For example, you cannot takeoffline two devices out of a RAID-Z configuration, nor can you take offline a top-level virtual device.

# zpool offline tank c1t0d0cannot offline c1t0d0: no valid replicas

• By default, the offline state is persistent. The device remains offline when the system is rebooted.

To temporarily take a device offline, use the zpool offline -t option. For example:

# zpool offline -t tank c1t0d0bringing device ’c1t0d0’ offline

When the system is rebooted, this device is automatically returned to the ONLINE state.

• When a device is taken offline, it is not detached from the storage pool. If you attempt to use the offlineddevice in another pool, even after the original pool is destroyed, you will see a message similar to thefollowing:

device is part of exported or potentially active ZFS pool. Please see zpool(1M)

If you want to use the offlined device in another storage pool after destroying the original storage pool,first bring the device back online, then destroy the original storage pool.

Another way to use a device from another storage pool if you want to keep the original storage pool is toreplace the existing device in the original storage pool with another comparable device. For informationabout replacing devices, see Section 4.4.

Offlined devices show up in the OFFLINE state when you query pool status. For information aboutquerying pool status, see Section 4.6.

For more information on device health, see Section 4.6.

Bringing a Device Online

Once a device is taken offline, it can be restored by using the zpool online command:

# zpool online tank c1t0d0bringing device c1t0d0 online

When a device is brought online, any data that has been written to the pool is resynchronized to the newlyavailable device. Note that you cannot use device onlining to replace a disk. If you offline a device, replacethe drive, and try to bring it online, it remains in the faulted state.

If you attempt to online a faulted device, a message similar to the following is displayed from fmd:

49


# zpool online tank c1t0d0Bringing device c1t0d0 online#SUNW-MSG-ID: ZFS-8000-D3, TYPE: Fault, VER: 1, SEVERITY: MajorEVENT-TIME: Thu Aug 31 11:13:59 MDT 2006PLATFORM: SUNW,Ultra-60, CSN: -, HOSTNAME: neoSOURCE: zfs-diagnosis, REV: 1.0EVENT-ID: e11d8245-d76a-e152-80c6-e63763ed7e4fDESC: A ZFS device failed. Refer to http://illumos.org/msg/ZFS-8000-D3 for more information.AUTO-RESPONSE: No automated response will occur.IMPACT: Fault tolerance of the pool may be compromised.REC-ACTION: Run ’zpool status -x’ and replace the bad device.

For more information on replacing a faulted device, see Section 10.5.

Clearing Storage Pool Devices

If a device is taken offline due to a failure that causes errors to be listed in the zpool status output, youcan clear the error counts with the zpool clear command.

If specified with no arguments, this command clears all device errors within the pool. For example:

# zpool clear tank

If one or more devices are specified, this command only clear errors associated with the specified devices.For example:

# zpool clear tank c1t0d0

For more information on clearing zpool errors, see Section 10.6.

Replacing Devices in a Storage Pool

You can replace a device in a storage pool by using the zpool replace command.

If you are physically replacing a device with another device in the same location in a redundant pool, thenyou only need identify the replaced device. ZFS recognizes that it is a different disk in the same location.For example, to replace a failed disk (c1t1d0) by removing the disk and replacing it in the same location,use the syntax similar to the following:

# zpool replace tank c1t1d0

If you are replacing a device in a non-redundant storage pool that contains only one device, you will needto specify both devices. For example:

# zpool replace tank c1t1d0 c1t2d0

Keep the following considerations in mind when replacing devices in a ZFS storage pool:

• The replacement device must be greater than or equal to the minimum size of all the devices in amirrored or RAID-Z configuration.

• If the replacement device is larger, the pool capacity is increased when the replacement is complete.Currently, you must export and import the pool to see the expanded capacity. For example:

50


# zpool list tankNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 16.8G 94K 16.7G 0% ONLINE -# zpool replace tank c0t0d0 c0t4d0# zpool list tankNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 16.8G 112K 16.7G 0% ONLINE -# zpool export tank# zpool import tank# zpool list tankNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 33.9G 114K 33.9G 0% ONLINE -

For more information about exporting and importing pools, see Section 4.7.

• Currently, you must also perform the export and import steps when growing the size of an existing LUNthat is part of a storage pool to see the expanded capacity.

• Replacing many disks in a large pool is time consuming due to resilvering the data onto the new disks.In addition, you might consider running the zpool scrub command between disk replacements to ensurethat the replacement devices are operational and the data is written correctly.

For more information about replacing devices, see Section 10.5 and Section 10.6.

Designating Hot Spares in Your Storage Pool

The hot spares feature enables you to identify disks that could be used to replace a failed or faulted devicein one or more storage pools. Designating a device as a hot spare means that the device is not an activedevice in a pool, but if an active device in the pool fails, the hot spare automatically replaces the faileddevice.

Devices can be designated as hot spares in the following ways:

• When the pool is created with the zpool create command

• After the pool is created with the zpool add command

• Hot spare devices can be shared between multiple pools

Designate devices as hot spares when the pool is created. For example:

# zpool create zeepool mirror c1t1d0 c2t1d0 spare c1t2d0 c2t2d0# zpool status zeepoolpool: zeepoolstate: ONLINEscrub: none requested

config:


sparesc1t2d0 AVAILc2t2d0 AVAIL

51


Designate hot spares by adding them to a pool after the pool is created. For example:

# zpool add -f zeepool spare c1t3d0 c2t3d0# zpool status zeepoolpool: zeepoolstate: ONLINEscrub: none requested

config:



Multiple pools can share devices that are designated as hot spares. For example:

# zpool create zeepool mirror c1t1d0 c2t1d0 spare c1t2d0 c2t2d0# zpool create tank raidz c3t1d0 c4t1d0 spare c1t2d0 c2t2d0

Hot spares can be removed from a storage pool by using the zpool remove command. For example:

# zpool remove zeepool c1t2d0# zpool status zeepoolpool: zeepoolstate: ONLINEscrub: none requested

config:


sparesc1t3d0 AVAIL

A hot spare cannot be removed if it is currently used by the storage pool.

Keep the following points in mind when using ZFS hot spares:

• Currently, the zpool remove command can only be used to remove hot spares.

• Add a disk as a spare that is equal to or larger than the size of the largest disk in the pool. Adding asmaller disk as a spare to a pool is allowed. However, when the smaller spare disk is activated, eitherautomatically or with the zpool replace command, the operation fails with an error similar to thefollowing:

cannot replace disk3 with disk4: device is too small

Activating and Deactivating Hot Spares in Your Storage Pool

Hot spares are activated in the following ways:

52


• Manually replacement – Replace a failed device in a storage pool with a hot spare by using the zpoolreplace command.

• Automatic replacement – When a fault is received, an FMA agent examines the pool to see if it has anyavailable hot spares. If so, it replaces the faulted device with an available spare.

If a hot spare that is currently in use fails, the agent detaches the spare and thereby cancels the replace-ment. The agent then attempts to replace the device with another hot spare, if one is available. Thisfeature is currently limited by the fact that the ZFS diagnosis engine only emits faults when a devicedisappears from the system.

Currently, no automated response is available to bring the original device back online. You mustexplicitly take one of the actions described in the example below. A future enhancement will allow ZFSto subscribe to hotplug events and automatically replace the affected device when it is replaced on thesystem.

Manually replace a device with a hot spare by using the zpool replace command. For example:

# zpool replace zeepool c2t1d0 c2t3d0# zpool status zeepoolpool: zeepool

state: ONLINEscrub: resilver completed with 0 errors on Fri Jun 2 13:44:40 2006config:

NAME STATE READ WRITE CKSUMzeepool ONLINE 0 0 0mirror ONLINE 0 0 0c1t2d0 ONLINE 0 0 0spare ONLINE 0 0 0c2t1d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0

sparesc1t3d0 AVAILc2t3d0 INUSE currently in use


A faulted device is automatically replaced if a hot spare is available. For example:

# zpool status -xpool: zeepoolstate: DEGRADED

status: One or more devices could not be opened. Sufficient replicas exist forthe pool to continue functioning in a degraded state.

action: Attach the missing device and online it using ’zpool online’.see: http://illumos.org/msg/ZFS-8000-D3

scrub: resilver completed with 0 errors on Fri Jun 2 13:56:49 2006config:

NAME STATE READ WRITE CKSUMzeepool DEGRADED 0 0 0

mirror DEGRADED 0 0 0c1t2d0 ONLINE 0 0 0spare DEGRADED 0 0 0c2t1d0 UNAVAIL 0 0 0 cannot openc2t3d0 ONLINE 0 0 0

sparesc1t3d0 AVAIL

53


c2t3d0 INUSE currently in use


Currently, three ways to deactivate hot spares are available:

• Canceling the hot spare by removing it from the storage pool

• Replacing the original device with a hot spare

• Permanently swapping in the hot spare

After the faulted device is replaced, use the zpool detach command to return the hot spare back to thespare set. For example:

# zpool detach zeepool c2t3d0# zpool status zeepoolpool: zeepool

state: ONLINEscrub: resilver completed with 0 errors on Fri Jun 2 13:58:35 2006config:




4.5 Managing ZFS Storage Pool Properties

You can use the zpool get command to display pool property information. For example:

# zpool get all tank2NAME PROPERTY VALUE SOURCEtank2 size 33.8G -tank2 used 158K -tank2 available 33.7G -tank2 capacity 0% -tank2 altroot - defaulttank2 health ONLINE -tank2 guid 8032621780930948264 -tank2 version 8 defaulttank2 bootfs - defaulttank2 delegation on defaulttank2 autoreplace off defaulttank2 temporary off defaulttank2 failmode wait default

Storage pool properties can be set with the zpool set command. For example:

54

4.5. Managing ZFS Storage Pool Properties

# zpool set autoreplace=on tank# zpool get autoreplace tankNAME PROPERTY VALUE SOURCEtank autoreplace on default

Table 4.1: ZFS Pool Property Descriptions

PropertyName Type Default

Value Description

altroot String off

Identifies an alternate root directory. If set, thisdirectory is prepended to any mount points within thepool. This property can be used when examining anunknown pool, if the mount points cannot be trusted,or in an alternate boot environment, where the typicalpaths are not valid. Setting this property implies thatthe temporary property is also set.

available Number N/A

Read-only value that identifies the amount of storagethat is available within the pool.This property can also be referred to by its shortenedcolumn name, avail.

autoreplace

Boolean off

Controls automatic device replacement. If set to off,device replacement must be initiated by theadministrator by using the zpool replace command.If set to on, any new device, found in the samephysical location as a device that previously belongedto the pool, is automatically formatted and replaced.The default behavior is off. This property can also bereferred to by its shortened column name, replace.

bootfs Boolean N/AIdentifies the default bootable dataset for the rootpool. This property is expected to be set mainly by theinstallation and upgrade programs.

capacity Number N/A

Read-only value that identifies the percentage of poolspace used.This property can also be referred to by its shortenedcolumn name, cap.

delegation Boolean onControls whether a non-privileged user can be grantedaccess permissions that are defined for the dataset.For more information, see Chapter 8.

guid String N/ARead-only property that identifies the uniqueidentifier for the pool.

health String N/ARead-only property that identifies the current healthof the pool, as either ONLINE, DEGRADED,FAULTED, OFFLINE, REMOVED, or UNAVAIL.

size Number N/ARead-only property that identifies the total size of thestorage pool.

used Number N/ARead-only property that identifies the amount ofstorage space used within the pool.

55


Table 4.1: (continued)


Value Description

temporary Boolean off

Controls whether the pool is available temporarily. Bydefault, all pools are persistent, and are automaticallyopened when the system is rebooted. Setting thisproperty to on causes the pool to exist only while thesystem is up. If the system is rebooted, the pool has tobe manually imported by using the zpool importcommand. Setting this property is helpful when usingpools on removable media, where the devices mightnot be present when the system reboots.This property can also be referred to by its shortenedcolumn name, temp.

version Number N/A

Identifies the current on-disk version of the pool. Thevalue of this property can be increased, but neverdecreased. The preferred method of updating pools iswith the zpool upgrade command, although thisproperty can be used when a specific version isneeded for backwards compatibility. This propertycan be set to any number between 1 and the currentversion reported by the zpool upgrade -v command.The current value is an alias for the latestsupported version.

4.6 Querying ZFS Storage Pool Status

The zpool list command provides a number of ways to request information regarding pool status. Theinformation available generally falls into three categories: basic usage information, I/O statistics, andhealth status. All three types of storage pool information are covered in this section.

• Section 4.6

• Section 4.6

• Section 4.6

Displaying Basic ZFS Storage Pool Information

You can use the zpool list command to display basic information about pools.

Listing Information About All Storage Pools

With no arguments, the command displays all the fields for all pools on the system. For example:

56

4.6. Querying ZFS Storage Pool Status

# zpool listNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 80.0G 22.3G 47.7G 28% ONLINE -dozer 1.2T 384G 816G 32% ONLINE -

This output displays the following information:

NAMEThe name of the pool.

SIZEThe total size of the pool, equal to the sum of the size of all top-level virtual devices.

USEDThe amount of space allocated by all datasets and internal metadata. Note that this amount isdifferent from the amount of space as reported at the file system level.

For more information about determining available file system space, see Section 3.2.

AVAILABLEThe amount of unallocated space in the pool.

CAPACITY (CAP)The amount of space used, expressed as a percentage of total space.

HEALTHThe current health status of the pool.

For more information about pool health, see Section 4.6.

ALTROOTThe alternate root of the pool, if any.

For more information about alternate root pools, see Section 9.3.

You can also gather statistics for a specific pool by specifying the pool name. For example:

# zpool list tankNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 80.0G 22.3G 47.7G 28% ONLINE -

Listing Specific Storage Pool Statistics

Specific statistics can be requested by using the -o option. This option allows for custom reports or aquick way to list pertinent information. For example, to list only the name and size of each pool, you usethe following syntax:

# zpool list -o name,sizeNAME SIZEtank 80.0Gdozer 1.2T

The column names correspond to the properties that are listed in Section 4.6.

57


Scripting ZFS Storage Pool Output

The default output for the zpool list command is designed for readability, and is not easy to use as partof a shell script. To aid programmatic uses of the command, the -H option can be used to suppress thecolumn headings and separate fields by tabs, rather than by spaces. For example, to request a simple list ofall pool names on the system:

# zpool list -Ho nametankdozer

Here is another example:

# zpool list -H -o name,sizetank 80.0Gdozer 1.2T

Viewing ZFS Storage Pool I/O Statistics

To request I/O statistics for a pool or specific virtual devices, use the zpool iostat command. Similar to theiostat command, this command can display a static snapshot of all I/O activity so far, as well as updatedstatistics for every specified interval. The following statistics are reported:

USED CAPACITYThe amount of data currently stored in the pool or device. This figure differs from the amount ofspace available to actual file systems by a small amount due to internal implementation details.

For more information about the difference between pool space and dataset space, see Section 3.2.

AVAILABLE CAPACITYThe amount of space available in the pool or device. As with the used statistic, this amount differsfrom the amount of space available to datasets by a small margin.

READ OPERATIONSThe number of read I/O operations sent to the pool or device, including metadata requests.

WRITE OPERATIONSThe number of write I/O operations sent to the pool or device.

READ BANDWIDTHThe bandwidth of all read operations (including metadata), expressed as units per second.

WRITE BANDWIDTHThe bandwidth of all write operations, expressed as units per second.

Listing Pool-Wide Statistics

With no options, the zpool iostat command displays the accumulated statistics since boot for all pools onthe system. For example:

58


# zpool iostatcapacity operations bandwidth

pool used avail read write read write---------- ----- ----- ----- ----- ----- -----tank 100G 20.0G 1.2M 102K 1.2M 3.45Kdozer 12.3G 67.7G 132K 15.2K 32.1K 1.20K

Because these statistics are cumulative since boot, bandwidth might appear low if the pool is relatively idle.You can request a more accurate view of current bandwidth usage by specifying an interval. For example:# zpool iostat tank 2

capacity operations bandwidthpool used avail read write read write---------- ----- ----- ----- ----- ----- -----tank 100G 20.0G 1.2M 102K 1.2M 3.45Ktank 100G 20.0G 134 0 1.34K 0tank 100G 20.0G 94 342 1.06K 4.1M

In this example, the command displays usage statistics only for the pool tank every two seconds untilyou type Ctrl-C. Alternately, you can specify an additional count parameter, which causes the commandto terminate after the specified number of iterations. For example, zpool iostat 2 3 would print a summaryevery two seconds for three iterations, for a total of six seconds. If there is a single pool, then the statisticsare displayed on consecutive lines. If more than one pool exists, then an additional dashed line delineateseach iteration to provide visual separation.

Listing Virtual Device Statistics

In addition to pool-wide I/O statistics, the zpool iostat command can display statistics for specific virtualdevices. This command can be used to identify abnormally slow devices, or simply to observe thedistribution of I/O generated by ZFS. To request the complete virtual device layout as well as all I/Ostatistics, use the zpool iostat -v command. For example:# zpool iostat -v

capacity operations bandwidthtank used avail read write read write---------- ----- ----- ----- ----- ----- -----mirror 20.4G 59.6G 0 22 0 6.00Kc1t0d0 - - 1 295 11.2K 148Kc1t1d0 - - 1 299 11.2K 148K

---------- ----- ----- ----- ----- ----- -----total 24.5K 149M 0 22 0 6.00K

Note two important things when viewing I/O statistics on a virtual device basis.

• First, space usage is only available for top-level virtual devices. The way in which space is allocatedamong mirror and RAID-Z virtual devices is particular to the implementation and not easily expressedas a single number.

• Second, the numbers might not add up exactly as you would expect them to. In particular, operationsacross RAID-Z and mirrored devices will not be exactly equal. This difference is particularly noticeableimmediately after a pool is created, as a significant amount of I/O is done directly to the disks as part ofpool creation that is not accounted for at the mirror level. Over time, these numbers should graduallyequalize, although broken, unresponsive, or offlined devices can affect this symmetry as well.

You can use the same set of options (interval and count) when examining virtual device statistics.

59


Determining the Health Status of ZFS Storage Pools

ZFS provides an integrated method of examining pool and device health. The health of a pool is determinedfrom the state of all its devices. This state information is displayed by using the zpool status command. Inaddition, potential pool and device failures are reported by fmd and are displayed on the system consoleand the /var/adm/messages file. This section describes how to determine pool and device health. Thischapter does not document how to repair or recover from unhealthy pools. For more information ontroubleshooting and data recovery, see Chapter 10.

Each device can fall into one of the following states:

ONLINEThe device is in normal working order. While some transient errors might still occur, the device isotherwise in working order.

DEGRADEDThe virtual device has experienced failure but is still able to function. This state is most commonwhen a mirror or RAID-Z device has lost one or more constituent devices. The fault tolerance of thepool might be compromised, as a subsequent fault in another device might be unrecoverable.

FAULTEDThe virtual device is completely inaccessible. This status typically indicates total failure of thedevice, such that ZFS is incapable of sending or receiving data from it. If a top-level virtual deviceis in this state, then the pool is completely inaccessible.

OFFLINEThe virtual device has been explicitly taken offline by the administrator.

UNAVAILABLEThe device or virtual device cannot be opened. In some cases, pools with UNAVAILABLE devicesappear in DEGRADED mode. If a top-level virtual device is unavailable, then nothing in the poolcan be accessed.

REMOVEDThe device was physically removed while the system was running. Device removal detection ishardware-dependent and might not be supported on all platforms.

The health of a pool is determined from the health of all its top-level virtual devices. If all virtualdevices are ONLINE, then the pool is also ONLINE. If any one of the virtual devices is DEGRADED orUNAVAILABLE, then the pool is also DEGRADED. If a top-level virtual device is FAULTED or OFFLINE,then the pool is also FAULTED. A pool in the faulted state is completely inaccessible. No data can berecovered until the necessary devices are attached or repaired. A pool in the degraded state continues torun, but you might not achieve the same level of data redundancy or data throughput than if the pool wereonline.

Basic Storage Pool Health Status

The simplest way to request a quick overview of pool health status is to use the zpool status command:

# zpool status -xall pools are healthy

60


Specific pools can be examined by specifying a pool name to the command. Any pool that is not in theONLINE state should be investigated for potential problems, as described in the next section.

Detailed Health Status

You can request a more detailed health summary by using the -v option. For example:

# zpool status -v tankpool: tankstate: DEGRADED

status: One or more devices could not be opened. Sufficient replicas existfor the pool to continue functioning in a degraded state.

action: Attach the missing device and online it using ’zpool online’.see: http://illumos.org/msg/ZFS-8000-2Q

scrub: none requestedconfig:

NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 0mirror DEGRADED 0 0 0c1t0d0 FAULTED 0 0 0 cannot openc1t1d0 ONLINE 0 0 0


This output displays a complete description of why the pool is in its current state, including a readabledescription of the problem and a link to a knowledge article for more information. Each knowledge articleprovides up-to-date information on the best way to recover from your current problem. Using the detailedconfiguration information, you should be able to determine which device is damaged and how to repairthe pool.

In the above example, the faulted device should be replaced. After the device is replaced, use the zpoolonline command to bring the device back online. For example:

# zpool online tank c1t0d0Bringing device c1t0d0 online# zpool status -xall pools are healthy

If a pool has an offlined device, the command output identifies the problem pool. For example:

# zpool status -xpool: tank

state: DEGRADEDstatus: One or more devices has been taken offline by the adminstrator.

Sufficient replicas exist for the pool to continue functioning in adegraded state.

action: Online the device using ’zpool online’ or replace the device with’zpool replace’.


NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 0mirror DEGRADED 0 0 0

c1t0d0 ONLINE 0 0 0c1t1d0 OFFLINE 0 0 0


61


The READ and WRITE columns provides a count of I/O errors seen on the device, while the CKSUMcolumn provides a count of uncorrectable checksum errors that occurred on the device. Both of these errorcounts likely indicate potential device failure, and some corrective action is needed. If non-zero errors arereported for a top-level virtual device, portions of your data might have become inaccessible. The errorscount identifies any known data errors.

In the example output above, the offlined device is not causing data errors.

For more information about diagnosing and repairing faulted pools and data, see Chapter 10.

4.7 Migrating ZFS Storage Pools

Occasionally, you might need to move a storage pool between machines. To do so, the storage devicesmust be disconnected from the original machine and reconnected to the destination machine. This taskcan be accomplished by physically recabling the devices, or by using multiported devices such as thedevices on a SAN. ZFS enables you to export the pool from one machine and import it on the destinationmachine, even if the machines are of different endianness. For information about replicating or migratingfile systems between different storage pools, which might reside on different machines, see Section 6.3.

• Section 4.7

• Section 4.7

• Section 4.7

• Section 4.7

• Section 4.7

• Section 4.7

• Section 4.7

Preparing for ZFS Storage Pool Migration

Storage pools should be explicitly exported to indicate that they are ready to be migrated. This operationflushes any unwritten data to disk, writes data to the disk indicating that the export was done, and removesall knowledge of the pool from the system.

If you do not explicitly export the pool, but instead remove the disks manually, you can still import theresulting pool on another system. However, you might lose the last few seconds of data transactions, andthe pool will appear faulted on the original machine because the devices are no longer present. By default,the destination machine refuses to import a pool that has not been explicitly exported. This condition isnecessary to prevent accidentally importing an active pool that consists of network attached storage that isstill in use on another system.

62

4.7. Migrating ZFS Storage Pools

Exporting a ZFS Storage Pool

To export a pool, use the zpool export command. For example:

# zpool export tank

Once this command is executed, the pool tank is no longer visible on the system. The command attemptsto unmount any mounted file systems within the pool before continuing. If any of the file systems fail tounmount, you can forcefully unmount them by using the -f option. For example:

# zpool export tankcannot unmount ’/export/home/eschrock’: Device busy# zpool export -f tank

If devices are unavailable at the time of export, the disks cannot be specified as cleanly exported. If one ofthese devices is later attached to a system without any of the working devices, it appears as “potentiallyactive.” If ZFS volumes are in use in the pool, the pool cannot be exported, even with the -f option. Toexport a pool with an ZFS volume, first make sure that all consumers of the volume are no longer active.

For more information about ZFS volumes, see Section 9.1.

Determining Available Storage Pools to Import

Once the pool has been removed from the system (either through export or by forcefully removing thedevices), attach the devices to the target system. Although ZFS can handle some situations in which onlya portion of the devices is available, all devices within the pool must be moved between the systems. Thedevices do not necessarily have to be attached under the same device name. ZFS detects any moved orrenamed devices, and adjusts the configuration appropriately. To discover available pools, run the zpoolimport command with no options. For example:

# zpool importpool: tank

id: 3778921145927357706state: ONLINEaction: The pool can be imported using its name or numeric identifier.config:

tank ONLINEmirror ONLINEc1t0d0 ONLINEc1t1d0 ONLINE

In this example, the pool tank is available to be imported on the target system. Each pool is identified bya name as well as a unique numeric identifier. If multiple pools available to import have the same name,you can use the numeric identifier to distinguish between them.

Similar to the zpool status command, the zpool import command refers to a knowledge article availableon the web with the most up-to-date information regarding repair procedures for a problem that ispreventing a pool from being imported. In this case, the user can force the pool to be imported. However,importing a pool that is currently in use by another system over a storage network can result in datacorruption and panics as both systems attempt to write to the same storage. If some devices in the pool arenot available but enough redundancy is available to have a usable pool, the pool appears in the DEGRADEDstate. For example:

63


# zpool importpool: tank

id: 3778921145927357706state: DEGRADEDstatus: One or more devices are missing from the system.action: The pool can be imported despite missing or damaged devices. The

fault tolerance of the pool may be compromised if imported.see: http://illumos.org/msg/ZFS-8000-2Q

config:

tank DEGRADEDmirror DEGRADEDc1t0d0 UNAVAIL cannot openc1t1d0 ONLINE

In this example, the first disk is damaged or missing, though you can still import the pool because themirrored data is still accessible. If too many faulted or missing devices are present, the pool cannot beimported. For example:

# zpool importpool: dozer

id: 12090808386336829175state: FAULTEDaction: The pool cannot be imported. Attach the missing

devices and try again.see: http://illumos.org/msg/ZFS-8000-6X

config:raidz FAULTEDc1t0d0 ONLINEc1t1d0 FAULTEDc1t2d0 ONLINEc1t3d0 FAULTED

In this example, two disks are missing from a RAID-Z virtual device, which means that sufficient redundantdata is not available to reconstruct the pool. In some cases, not enough devices are present to determine thecomplete configuration. In this case, ZFS doesn’t know what other devices were part of the pool, thoughZFS does report as much information as possible about the situation. For example:

# zpool importpool: dozer

id: 12090808386336829175state: FAULTEDstatus: One or more devices are missing from the system.action: The pool cannot be imported. Attach the missing

devices and try again.see: http://illumos.org/msg/ZFS-8000-6X

config:dozer FAULTED missing deviceraidz ONLINEc1t0d0 ONLINEc1t1d0 ONLINEc1t2d0 ONLINEc1t3d0 ONLINE

Additional devices are known to be part of this pool, though theirexact configuration cannot be determined.

64


Finding ZFS Storage Pools From Alternate Directories

By default, the zpool import command only searches devices within the /dev/dsk directory. If devicesexist in another directory, or you are using pools backed by files, you must use the -d option to searchdifferent directories. For example:# zpool create dozer mirror /file/a /file/b# zpool export dozer# zpool import -d /filepool: dozer


dozer ONLINEmirror ONLINE/file/a ONLINE/file/b ONLINE

# zpool import -d /file dozer

If devices exist in multiple directories, you can specify multiple -d options.

Importing ZFS Storage Pools

Once a pool has been identified for import, you can import it by specifying the name of the pool or itsnumeric identifier as an argument to the zpool import command. For example:# zpool import tank

If multiple available pools have the same name, you can specify which pool to import using the numericidentifier. For example:# zpool importpool: dozer


dozer ONLINEc1t9d0 ONLINE

pool: dozerid: 6223921996155991199

state: ONLINEaction: The pool can be imported using its name or numeric identifier.config:

dozer ONLINEc1t8d0 ONLINE

# zpool import dozercannot import ’dozer’: more than one matching poolimport by numeric ID instead# zpool import 6223921996155991199

If the pool name conflicts with an existing pool name, you can import the pool under a different name. Forexample:

65


# zpool import dozer zeepool

This command imports the exported pool dozer using the new name zeepool. If the pool was notcleanly exported, ZFS requires the -f flag to prevent users from accidentally importing a pool that is stillin use on another system. For example:

# zpool import dozercannot import ’dozer’: pool may be in use on another systemuse ’-f’ to import anyway# zpool import -f dozer

Pools can also be imported under an alternate root by using the -R option. For more information onalternate root pools, see Section 9.3.

Recovering Destroyed ZFS Storage Pools

You can use the zpool import -D command to recover a storage pool that has been destroyed. For example:

# zpool destroy tank# zpool import -Dpool: tank

id: 3778921145927357706state: ONLINE (DESTROYED)action: The pool can be imported using its name or numeric identifier. The

pool was destroyed, but can be imported using the ’-Df’ flags.config:

tank ONLINEmirror ONLINEc1t0d0 ONLINEc1t1d0 ONLINE

In the above zpool import output, you can identify this pool as the destroyed pool because of the followingstate information:

state: ONLINE (DESTROYED)

To recover the destroyed pool, issue the zpool import -D command again with the pool to be recoveredand the -f option. For example:

# zpool import -Df tank# zpool status tankpool: tankstate: ONLINEscrub: none requested

config:



66


If one of the devices in the destroyed pool is faulted or unavailable, you might be able to recover thedestroyed pool anyway. In this scenario, import the degraded pool and then attempt to fix the device failure.For example:

# zpool destroy dozer# zpool import -Dpool: dozer

id:state: DEGRADED (DESTROYED)status: One or more devices are missing from the system.action: The pool can be imported despite missing or damaged devices. The

fault tolerance of the pool may be compromised if imported. Thepool was destroyed, but can be imported using the ’-Df’ flags.

see: http://illumos.org/msg/ZFS-8000-2Qconfig:

dozer DEGRADEDraidz ONLINEc1t0d0 ONLINEc1t1d0 ONLINEc1t2d0 UNAVAIL cannot openc1t3d0 ONLINE

# zpool import -Df dozer# zpool status -xpool: dozer

state: DEGRADEDstatus: One or more devices could not be opened. Sufficient replicas exist for

the pool to continue functioning in a degraded state.action: Attach the missing device and online it using ’zpool online’.

see: http://illumos.org/msg/ZFS-8000-D3scrub: resilver completed with 0 errors on Fri Mar 17 16:11:35 2006

config:

NAME STATE READ WRITE CKSUMdozer DEGRADED 0 0 0raidz ONLINE 0 0 0c1t0d0 ONLINE 0 0 0c1t1d0 ONLINE 0 0 0c1t2d0 UNAVAIL 0 0 0 cannot openc1t3d0 ONLINE 0 0 0

errors: No known data errors# zpool online dozer c1t2d0Bringing device c1t2d0 online# zpool status -xall pools are healthy

Upgrading ZFS Storage Pools

If you have ZFS storage pools from an earlier ZFS release, you can upgrade your pools with the zpoolupgrade command to take advantage of any newer pool features. In addition, the zpool status commandhas been modified to notify you when your pools are running older versions. For example:

# zpool statuspool: test

state: ONLINEstatus: The pool is formatted using an older on-disk format. The pool can

still be used, but some features are unavailable.

67


action: Upgrade the pool using ’zpool upgrade’. Once this is done, thepool will no longer be accessible on older software versions.


NAME STATE READ WRITE CKSUMtest ONLINE 0 0 0c1t27d0 ONLINE 0 0 0


You can use the following syntax to identify additional information about a particular version and supportedreleases.

# zpool upgrade -vThis system supports ZFS pool feature flags.

The following features are supported:

FEAT DESCRIPTION-------------------------------------------------------------async_destroy (read-only compatible)

Destroy filesystems asynchronously.empty_bpobj (read-only compatible)

Snapshots use less space.lz4_compress

LZ4 compression algorithm support.multi_vdev_crash_dump

Crash dumps to multiple vdev pools.spacemap_histogram (read-only compatible)

Spacemaps maintain space histograms.enabled_txg (read-only compatible)

Record txg at which a feature is enabledhole_birth

Retain hole birth txg for more precise zfs sendextensible_dataset

Enhanced dataset functionality, used by other features.embedded_data

Blocks which compress very well use even less space.bookmarks (read-only compatible)

"zfs bookmark" commandfilesystem_limits (read-only compatible)

Filesystem and snapshot limits.large_blocks

Support for blocks larger than 128KB.sha512

SHA-512/256 hash algorithm.skein

Skein hash algorithm.edonr

Edon-R hash algorithm.

The following legacy versions are also supported:

VER DESCRIPTION--- --------------------------------------------------------1 Initial ZFS version2 Ditto blocks (replicated metadata)3 Hot spares and double parity RAID-Z4 zpool history

68


5 Compression using the gzip algorithm6 bootfs pool property7 Separate intent log devices8 Delegated administration9 refquota and refreservation properties10 Cache devices11 Improved scrub performance12 Snapshot properties13 snapused property14 passthrough-x aclinherit15 user/group space accounting16 stmf property support17 Triple-parity RAID-Z18 Snapshot user holds19 Log device removal20 Compression using zle (zero-length encoding)21 Deduplication22 Received properties23 Slim ZIL24 System attributes25 Improved scrub stats26 Improved snapshot deletion performance27 Improved snapshot creation performance28 Multiple vdev replacements

For more information on a particular version, including supported releases,see the ZFS Administration Guide.

Then, you can run the zpool upgrade command to upgrade your pools. For example:

# zpool upgrade -a

NoteIf you upgrade your pools to the latest version, they will not be accessible on systems that run older ZFSversions.

69

Chapter 5

Managing ZFS File Systems

This chapter provides detailed information about managing ZFS file systems. Concepts such as hierarchicalfile system layout, property inheritance, and automatic mount point management and share interactionsare included in this chapter.

A ZFS file system is a lightweight POSIX file system that is built on top of a storage pool. File systemscan be dynamically created and destroyed without requiring you to allocate or format any underlyingspace. Because file systems are so lightweight and because they are the central point of administration inZFS, you are likely to create many of them.

ZFS file systems are administered by using the zfs command. The zfs command provides a set ofsubcommands that perform specific operations on file systems. This chapter describes these subcommandsin detail. Snapshots, volumes, and clones are also managed by using this command, but these features areonly covered briefly in this chapter. For detailed information about snapshots and clones, see Chapter 6.For detailed information about emulated volumes, see Section 9.1.

NoteThe term dataset is used in this chapter as a generic term to refer to a file system, snapshot, clone, orvolume.


• Section 5.1

• Section 5.2

• Section 5.3

• Section 5.4

• Section 5.5

• Section 5.6

• Section 6.3

71

5. MANAGING ZFS FILE SYSTEMS

5.1 Creating and Destroying ZFS File Systems

ZFS file systems can be created and destroyed by using the zfs create and zfs destroy commands.

• Section 5.1

• Section 5.1

• Section 5.1

Creating a ZFS File System

ZFS file systems are created by using the zfs create command. The create subcommand takes a singleargument: the name of the file system to create. The file system name is specified as a path name startingfrom the name of the pool:

pool-name/[filesystem-name/]filesystem-name

The pool name and initial file system names in the path identify the location in the hierarchy where thenew file system will be created. All the intermediate file system names must already exist in the pool. Thelast name in the path identifies the name of the file system to be created. The file system name must satisfythe naming conventions defined in Section 1.4.

In the following example, a file system named bonwick is created in the tank/home file system.

# zfs create tank/home/bonwick

ZFS automatically mounts the newly created file system if it is created successfully. By default, file systemsare mounted as /dataset, using the path provided for the file system name in the create subcommand.In this example, the newly created bonwick file system is at /tank/home/bonwick. For moreinformation about automanaged mount points, see Section 5.5.

For more information about the zfs create command, see zfs(1M).

You can set file system properties when the file system is created.

In the following example, a mount point of /export/zfs is specified and is created for the tank/home file system.

# zfs create -o mountpoint=/export/zfs tank/home

For more information about file system properties, see Section 5.2.

Destroying a ZFS File System

To destroy a ZFS file system, use the zfs destroy command. The destroyed file system is automaticallyunmounted and unshared. For more information about automatically managed mounts or automaticallymanaged shares, see Section 5.5.

In the following example, the tabriz file system is destroyed.

# zfs destroy tank/home/tabriz

72

5.1. Creating and Destroying ZFS File Systems

CautionNo confirmation prompt appears with the destroy subcommand. Use it with extreme caution.

If the file system to be destroyed is busy and so cannot be unmounted, the zfs destroy command fails. Todestroy an active file system, use the -f option. Use this option with caution as it can unmount, unshare,and destroy active file systems, causing unexpected application behavior.

# zfs destroy tank/home/ahrenscannot unmount ’tank/home/ahrens’: Device busy

# zfs destroy -f tank/home/ahrens

The zfs destroy command also fails if a file system has children. To recursively destroy a file system andall its descendents, use the -r option. Note that a recursive destroy also destroys snapshots so use thisoption with caution.

# zfs destroy tank/wscannot destroy ’tank/ws’: filesystem has childrenuse ’-r’ to destroy the following datasets:tank/ws/billmtank/ws/bonwicktank/ws/maybee

# zfs destroy -r tank/ws

If the file system to be destroyed has indirect dependents, even the recursive destroy command describedabove fails. To force the destruction of all dependents, including cloned file systems outside the targethierarchy, the -R option must be used. Use extreme caution with this option.

# zfs destroy -r tank/home/schrockcannot destroy ’tank/home/schrock’: filesystem has dependent clonesuse ’-R’ to destroy the following datasets:tank/clones/schrock-clone

# zfs destroy -R tank/home/schrock

CautionNo confirmation prompt appears with the -f, -r, or -R options so use these options carefully.

For more information about snapshots and clones, see Chapter 6.

Renaming a ZFS File System

File systems can be renamed by using the zfs rename command. Using the rename subcommand canperform the following operations:

• Change the name of a file system

73


• Relocate the file system to a new location within the ZFS hierarchy

• Change the name of a file system and relocate it with the ZFS hierarchy

The following example uses the rename subcommand to do a simple rename of a file system:

# zfs rename tank/home/kustarz tank/home/kustarz_old

This example renames the kustarz file system to kustarz_old.

The following example shows how to use zfs rename to relocate a file system.

# zfs rename tank/home/maybee tank/ws/maybee

In this example, the maybee file system is relocated from tank/home to tank/ws. When you relocatea file system through rename, the new location must be within the same pool and it must have enoughspace to hold this new file system. If the new location does not have enough space, possibly because it hasreached its quota, the rename will fail.

For more information about quotas, see Section 5.6.

The rename operation attempts an unmount/remount sequence for the file system and any descendent filesystems. The rename fails if the operation is unable to unmount an active file system. If this problemoccurs, you will need to force unmount the file system.

For information about renaming snapshots, see Section 6.1.

5.2 Introducing ZFS Properties

Properties are the main mechanism that you use to control the behavior of file systems, volumes, snapshots,and clones. Unless stated otherwise, the properties defined in the section apply to all the dataset types.

• Section 5.2

• Section 5.2

• Section 5.2

Properties are divided into two types, native properties and user defined properties. Native propertieseither export internal statistics or control ZFS file system behavior. In addition, native properties areeither settable or read-only. User properties have no effect on ZFS file system behavior, but you can usethem to annotate datasets in a way that is meaningful in your environment. For more information on userproperties, see Section 5.2.

Most settable properties are also inheritable. An inheritable property is a property that, when set on aparent, is propagated down to all of its descendents.

All inheritable properties have an associated source. The source indicates how a property was obtained.The source of a property can have the following values:

localA local source indicates that the property was explicitly set on the dataset by using the zfs setcommand as described in Section 5.4.

74

5.2. Introducing ZFS Properties

inherited from dataset-nameA value of inherited from dataset-name means that the property was inherited from thenamed ancestor.

defaultA value of default means that the property setting was not inherited or set locally. This source isa result of no ancestor having the property as source local.

The following table identifies both read-only and settable native ZFS file system properties. Read-onlynative properties are identified as such. All other native properties listed in this table are settable. Forinformation about user properties, see Section 5.2.

Table 5.1: ZFS Native Property Descriptions


Value Description

aclinherit

String secure

Controls how ACL entries are inherited when filesand directories are created. The values are discard,noallow, secure, and passthrough. For adescription of these values, see Section 7.1.

aclmode Stringgroupmask

Controls how an ACL entry is modified during achmod operation. The values are discard,groupmask, and passthrough. For a descriptionof these values, see Section 7.1.

atime Boolean on

Controls whether the access time for files is updatedwhen they are read. Turning this property off avoidsproducing write traffic when reading files and canresult in significant performance gains, though itmight confuse mailers and other similar utilities.

available Number N/A

Read-only property that identifies the amount of spaceavailable to the dataset and all its children, assumingno other activity in the pool. Because space is sharedwithin a pool, available space can be limited byvarious factors including physical pool size, quotas,reservations, or other datasets within the pool.This property can also be referenced by its shortenedcolumn name, avail.For more information about space accounting, seeSection 3.2.

canmount Boolean on

Controls whether the given file system can bemounted with the zfs mount command. This propertycan be set on any file system and the property itself isnot inheritable. However, when this property is set, amountpoint can be inherited to descendent filesystems, but the file system itself is never mounted.For more information, see Section 5.2.

75




Value Description

casesensitivity

Stringsensitive

This property indicates whether the file namematching algorithm used by the file system should becasesensitive, caseinsensitive, or allowa combination of both styles of matching (mixed).The default value for this property is sensitive.Traditionally, UNIX and POSIX file systems havecase-sensitive file names.The mixed value for this property indicates the filesystem can support requests for both case-sensitiveand case-insensitive matching behavior. Currently,case-insensitive matching behavior on a file systemthat supports mixed behavior is limited to the SolarisCIFS server product. For more information aboutusing the mixed value, see Section 5.2.Regardless of the casesensitivity propertysetting, the file system preserves the case of the namespecified to create a file. This property cannot bechanged after the file system is created.

checksum String on

Controls the checksum used to verify data integrity.The default value is on, which automatically selectsan appropriate algorithm, currently fletcher2.The values are on, off, fletcher2,fletcher4, and sha256. A value of off disablesintegrity checking on user data. A value of off is notrecommended.

compression String off

Controls the compression algorithm used for thisdataset. Currently, you can select lzjb, gzip, orgzip-N . Enabling compression on a file system withexisting data only compresses new data. Existing dataremains uncompressed.This property can also be referred to by its shortenedcolumn name, compress.

compressratio Number N/A

Read-only property that identifies the compressionratio achieved for this dataset, expressed as amultiplier. Compression can be turned on by runningzfs set compression=on dataset.Calculated from the logical size of all files and theamount of referenced physical data. Includes explicitsavings through the use of the compression property.

76




Value Description

copies Number 1

Sets the number of copies of user data per file system.Available values are 1, 2 or 3. These copies are inaddition to any pool-level redundancy. Space used bymultiple copies of user data is charged to thecorresponding file and dataset and counts againstquotas and reservations. In addition, the used propertyis updated when multiple copies are enabled.Consider setting this property when the file system iscreated because changing this property on an existingfile system only affects newly written data.

creation Number N/ARead-only property that identifies the date and timethat this dataset was created.

devices Boolean onControls the ability to open device files in the filesystem.

exec Boolean onControls whether programs within this file system areallowed to be executed. Also, when set to off,mmap(2) calls with PROT_EXEC are disallowed.

mounted boolean N/A

Read-only property that indicates whether this filesystem, clone, or snapshot is currently mounted. Thisproperty does not apply to volumes. Value can beeither yes or no.

mountpoint String N/A

Controls the mount point used for this file system.When the mountpoint property is changed for a filesystem, the file system and any children that inheritthe mount point are unmounted. If the new value islegacy, then they remain unmounted. Otherwise,they are automatically remounted in the new locationif the property was previously legacy or none, orif they were mounted before the property waschanged. In addition, any shared file systems areunshared and shared in the new location.For more information about using this property, seeSection 5.5.

nbmand Boolean off

Controls whether the file system should be mountedwith nbmand (Non-blocking mandatory) locks. Thisproperty is for CIFS clients only. Changes to thisproperty only take effect when the file system isunmounted and remounted.

77




Value Description

normalization

String None

This property indicates whether a file system shouldperform a unicode normalization of file nameswhenever two file names are compared, and whichnormalization algorithm should be used. File namesare always stored unmodified, names are normalizedas part of any comparison process. If this property isset to a legal value other than none, and theutf8only property was left unspecified, theutf8only property is automatically set to on. Thedefault value of the normalization property isnone. This property cannot be changed after the filesystem is created.

origin String N/A

Read-only property for cloned file systems or volumesthat identifies the snapshot from which the clone wascreated. The origin cannot be destroyed (even withthe -r or -f options) as long as a clone exists.Non-cloned file systems have an origin of none.

quotaNumber(or none)

none

Limits the amount of space a dataset and itsdescendents can consume. This property enforces ahard limit on the amount of space used, including allspace consumed by descendents, including filesystems and snapshots. Setting a quota on adescendent of a dataset that already has a quota doesnot override the ancestor’s quota, but rather imposesan additional limit. Quotas cannot be set on volumes,as the volsize property acts as an implicit quota.For information about setting quotas, see Section 5.6.

readonly Boolean off

Controls whether this dataset can be modified. Whenset to on, no modifications can be made to the dataset.This property can also be referred to by its shortenedcolumn name, rdonly.

recordsize Number 128K

Specifies a suggested block size for files in the filesystem.This property can also be referred to by its shortenedcolumn name, recsize. For a detailed description, seeSection 5.2.

referenced Number N/A

Read-only property that identifies the amount of dataaccessible by this dataset, which might or might notbe shared with other datasets in the pool.When a snapshot or clone is created, it initiallyreferences the same amount of space as the filesystem or snapshot it was created from, because itscontents are identical.This property can also be referred to by its shortenedcolumn name, refer.

78




Value Description

refquotaNumber(or none)

none

Sets the amount of space that a dataset can consume.This property enforces a hard limit on the amount ofspace used. This hard limit does not include spaceused by descendents, such as snapshots and clones.

refreservation

Number(or none)

none

Sets the minimum amount of space that is guaranteedto a dataset, not including descendents, such assnapshots and clones. When the amount of space thatis used is below this value, the dataset is treated as ifit were taking up the amount of space specified byrefreservation. The refreservationreservation is accounted for in the parent datasets’space used, and counts against the parent datasets’quotas and reservations.If refreservation is set, a snapshot is onlyallowed if enough free pool space is available outsideof this reservation to accommodate the currentnumber of referenced bytes in the dataset.This property can also be referred to by its shortenedcolumn name, refreserv.

reservationNumber(or none)

none

The minimum amount of space guaranteed to adataset and its descendents. When the amount ofspace used is below this value, the dataset is treated asif it were using the amount of space specified by itsreservation. Reservations are accounted for in theparent datasets’ space used, and count against theparent datasets’ quotas and reservations.This property can also be referred to by its shortenedcolumn name, reserv.For more information, see Section 5.6.

setuid Boolean onControls whether the setuid bit is honored in thefile system.

sharenfs String off

Controls whether the file system is available overNFS, and what options are used. If set to on, the zfsshare command is invoked with no options.Otherwise, the zfs share command is invoked withoptions equivalent to the contents of this property. Ifset to off, the file system is managed by using thelegacy share and unshare commands and thedfstab file.For more information on sharing ZFS file systems,see Section 5.5.

79




Value Description

sharesmb Boolean off

Controls whether the file system is shared by usingthe Solaris CIFS service, and what options are to beused. A file system with the sharesmb property setto off is managed through traditional tools, such asthe sharemgr command. Otherwise, the file system isautomatically shared and unshared by using the zfsshare and zfs unshare commands.If the property is set to on, the sharemgr commandis invoked with no options. Otherwise, the sharemgrcommand is invoked with options that are equivalentto the contents of this property.

snapdir String hiddenControls whether the .zfs directory is hidden orvisible in the root of the file system. For moreinformation on using snapshots, see Section 6.1.

type String N/ARead-only property that identifies the dataset type asfilesystem (file system or clone), volume, orsnapshot.

used Number N/ARead-only property that identifies the amount of spaceconsumed by the dataset and all its descendents.For a detailed description, see Section 5.2.

utf8only Boolean Off

This property indicates whether a file system shouldreject file names that include characters that are notpresent in the UTF-8 character code set. If thisproperty is explicitly set to off, thenormalization property must either not beexplicitly set or be set to none. The default value forthe utf8only property is off. This propertycannot be changed after the file system is created.

volsize Number N/AFor volumes, specifies the logical size of the volume.For a detailed description, see Section 5.2.

volblocksize

Number 8 Kbytes

For volumes, specifies the block size of the volume.The block size cannot be changed once the volumehas been written, so set the block size at volumecreation time. The default block size for volumes is 8Kbytes. Any power of 2 from 512 bytes to 128Kbytes is valid.This property can also be referred to by its shortenedcolumn name, volblock.

vscan Boolean Off

Controls whether regular files should be scanned forviruses when a file is opened and closed. In additionto enabling this property, a virus scanning servicemust also be enabled for virus scanning to occur. Thedefault value is off.

80




Value Description

zoned Boolean N/A

Indicates whether this dataset has been added to anon-global zone. If this property is set, then the mountpoint is not honored in the global zone, and ZFScannot mount such a file system when requested.When a zone is first installed, this property is set forany added file systems.For more information about using ZFS with zonesinstalled, see Section 9.2.

xattr Boolean onIndicates whether extended attributes are enabled ordisabled for this file system. The default value is on.

ZFS Read-Only Native Properties

Read-only native properties are properties that can be retrieved but cannot be set. Read-only nativeproperties are not inherited. Some native properties are specific to a particular type of dataset. In suchcases, the particular dataset type is mentioned in the description in Table 5.1.

The read-only native properties are listed here and are described in Table 5.1.

• available

• creation

• mounted

• origin

• compressratio

• referenced

• type

• used

For detailed information, see Section 5.2.

For more information on space accounting, including the used, referenced, and available properties, seeSection 3.2.

81


The used Property

The amount of space consumed by this dataset and all its descendents. This value is checked againstthe dataset’s quota and reservation. The space used does not include the dataset’s reservation, but doesconsider the reservation of any descendent datasets. The amount of space that a dataset consumes from itsparent, as well as the amount of space that is freed if the dataset is recursively destroyed, is the greater ofits space used and its reservation.

When snapshots are created, their space is initially shared between the snapshot and the file system, andpossibly with previous snapshots. As the file system changes, space that was previously shared becomesunique to the snapshot, and counted in the snapshot’s space used. Additionally, deleting snapshots canincrease the amount of space unique to (and used by) other snapshots. For more information aboutsnapshots and space issues, see Section 3.2.

The amount of space used, available, or referenced does not take into account pending changes. Pendingchanges are generally accounted for within a few seconds. Committing a change to a disk using fsync(3C)or O_SYNC does not necessarily guarantee that the space usage information will be updated immediately.

Settable ZFS Native Properties

Settable native properties are properties whose values can be both retrieved and set. Settable nativeproperties are set by using the zfs set command, as described in Section 5.4 or by using the zfs createcommand as described in Section 5.1. With the exceptions of quotas and reservations, settable nativeproperties are inherited. For more information about quotas and reservations, see Section 5.6.

Some settable native properties are specific to a particular type of dataset. In such cases, the particulardataset type is mentioned in the description in Table 5.1. If not specifically mentioned, a property appliesto all dataset types: file systems, volumes, clones, and snapshots.

The settable properties are listed here and are described in Table 5.1.

• aclinherit

For a detailed description, see Section 7.1.

• aclmode


• atime

• canmount

• casesensitivity

• checksum

• compression

• copies

• devices

• exec

82


• mountpoint

• nbmand

• normalization

• quota

• readonly

• recordsize


• refquota

• refreservation

• reservation

• sharenfs

• sharesmb

• setuid

• snapdir

• vscan

• utf8only

• volsize

For a detailed description,see Section 5.2.

• volblocksize

• zoned

The canmount Property

If this property is set to no, the file system cannot be mounted by using the zfs mount or zfs mount -acommands. This property is similar to setting the mountpoint property to none, except that the datasetstill has a normal mountpoint property that can be inherited. For example, you can set this property tono, establish inheritable properties for descendent file systems, but the file system itself is never mountednor it is accessible to users. In this case, the parent file system with this property set to no is serving as acontainer so that you can set attributes on the container, but the container itself is never accessible.

In the following example, userpool is created and the canmount property is set to off. Mount points fordescendent user file systems are set to one common mount point, /export/home. Properties that areset on the parent file system are inherited by descendent file systems, but the parent file system itself isnever mounted.

83


# zpool create userpool mirror c0t5d0 c1t6d0# zfs set canmount=off userpool# zfs set mountpoint=/export/home userpool# zfs set compression=on userpool# zfs create userpool/user1# zfs create userpool/user2# zfs list -r userpoolNAME USED AVAIL REFER MOUNTPOINTuserpool 140K 8.24G 24.5K /export/homeuserpool/user1 24.5K 8.24G 24.5K /export/home/user1userpool/user2 24.5K 8.24G 24.5K /export/home/user2

The casesensitivity Property

This property indicates whether the file name matching algorithm used by the file system should becasesensitive, caseinsensitive, or allow a combination of both styles of matching (mixed).

When a case-insensitive matching request is made of a mixed sensitivity file system, the behavior isgenerally the same as would be expected of a purely case-insensitive file system. The difference is thata mixed sensitivity file system might contain directories with multiple names that are unique from acase-sensitive perspective, but not unique from the case-insensitive perspective.

For example, a directory might contain files foo, Foo, and FOO. If a request is made to case-insensitivelymatch any of the possible forms of foo, (for example foo, FOO, FoO, fOo, and so on) one of the threeexisting files is chosen as the match by the matching algorithm. Exactly which file the algorithm choosesas a match is not guaranteed, but what is guaranteed is that the same file is chosen as a match for anyof the forms of foo. The file chosen as a case-insensitive match for foo, FOO, foO, Foo, and so on, isalways the same, so long as the directory remains unchanged.

The utf8only, normalization, and casesensitivity properties are also new permissions thatcan be assigned to non-privileged users by using ZFS delegated administration. For more information, seeSection 8.2.

The recordsize Property

Specifies a suggested block size for files in the file system.

This property is designed solely for use with database workloads that access files in fixed-size records.ZFS automatically adjust block sizes according to internal algorithms optimized for typical access patterns.For databases that create very large files but access the files in small random chunks, these algorithmsmay be suboptimal. Specifying a recordsize greater than or equal to the record size of the database canresult in significant performance gains. Use of this property for general purpose file systems is stronglydiscouraged, and may adversely affect performance. The size specified must be a power of two greaterthan or equal to 512 and less than or equal to 128 Kbytes. Changing the file system’s recordsize onlyaffects files created afterward. Existing files are unaffected.

This property can also be referred to by its shortened column name, recsize.

The sharesmb Property

This property enabled sharing of ZFS file systems with the Solaris CIFS service, and identifies options tobe used.

84


Because SMB shares requires a resource name, a unique resource name is constructed from the datasetname. The constructed name is a copy of the dataset name except that the characters in the dataset name,which would be illegal in the resource name, are replaced with underbar (_) characters. A pseudo propertyname is also supported that allows you to replace the dataset name with a specific name. The specificname is then used to replace the prefix dataset in the case of inheritance.

For example, if the dataset, data/home/john, is set to name=john, then data/home/john hasa resource name of john. If a child dataset of data/home/john/backups exists, it has a resourcename of john_backups. When the sharesmb property is changed for a dataset, the dataset and anychildren inheriting the property are re-shared with the new options, only if the property was previously setto off, or if they were shared before the property was changed. If the new property is set to off, the filesystems are unshared.

For examples of using the sharesmb property, see Section 5.5.

The volsize Property

The logical size of the volume. By default, creating a volume establishes a reservation for the same amount.Any changes to volsize are reflected in an equivalent change to the reservation. These checks are usedto prevent unexpected behavior for users. A volume that contains less space than it claims is availablecan result in undefined behavior or data corruption, depending on how the volume is used. These effectscan also occur when the volume size is changed while it is in use, particularly when you shrink the size.Extreme care should be used when adjusting the volume size.

Though not recommended, you can create a sparse volume by specifying the -s flag to zfs create -V, orby changing the reservation once the volume has been created. A sparse volume is defined as a volumewhere the reservation is not equal to the volume size. For a sparse volume, changes to volsize are notreflected in the reservation.

For more information about using volumes, see Section 9.1.

ZFS User Properties

In addition to the standard native properties, ZFS supports arbitrary user properties. User properties haveno effect on ZFS behavior, but you can use them to annotate datasets with information that is meaningfulin your environment.

User property names must conform to the following characteristics:

• Contain a colon (’:’) character to distinguish them from native properties.

• Contain lowercase letters, numbers, and the following punctuation characters: ’:’, + ,’.’, ’_’.

• Maximum user property name is 256 characters.

The expected convention is that the property name is divided into the following two components but thisnamespace is not enforced by ZFS:

module:property

85


When making programmatic use of user properties, use a reversed DNS domain name for the modulecomponent of property names to reduce the chance that two independently-developed packages will usethe same property name for different purposes. Property names that begin with "com.sun." are reservedfor use by Sun Microsystems.

The values of user properties have the following characteristics:

• Arbitrary strings that are always inherited and are never validated.

• Maximum user property value is 1024 characters.

For example:# zfs set dept:users=finance userpool/user1# zfs set dept:users=general userpool/user2# zfs set dept:users=itops userpool/user3

All of the commands that operate on properties, such as zfs list, zfs get, zfs set, and so on, can be used tomanipulate both native properties and user properties.

For example:zfs get -r dept:users userpoolNAME PROPERTY VALUE SOURCEuserpool dept:users all localuserpool/user1 dept:users finance localuserpool/user2 dept:users general localuserpool/user3 dept:users itops local

To clear a user property, use the zfs inherit command. For example:# zfs inherit -r dept:users userpool

If the property is not defined in any parent dataset, it is removed entirely.

5.3 Querying ZFS File System Information

The zfs list command provides an extensible mechanism for viewing and querying dataset information.Both basic and complex queries are explained in this section.

Listing Basic ZFS Information

You can list basic dataset information by using the zfs list command with no options. This commanddisplays the names of all datasets on the system including their used, available, referenced, and mountpointproperties. For more information about these properties, see Section 5.2.

For example:# zfs listNAME USED AVAIL REFER MOUNTPOINTpool 476K 16.5G 21K /poolpool/clone 18K 16.5G 18K /pool/clonepool/home 296K 16.5G 19K /pool/homepool/home/marks 277K 16.5G 277K /pool/home/markspool/home/marks@snap 0 - 277K -pool/test 18K 16.5G 18K /test

86

5.3. Querying ZFS File System Information

You can also use this command to display specific datasets by providing the dataset name on the commandline. Additionally, use the -r option to recursively display all descendents of that dataset. For example:

# zfs list -r pool/home/marksNAME USED AVAIL REFER MOUNTPOINTpool/home/marks 277K 16.5G 277K /pool/home/markspool/home/marks@snap 0 - 277K -

You use zfs list command with absolute pathnames for datasets, snapshots, and volumes. For example:

# zfs list /pool/home/marksNAME USED AVAIL REFER MOUNTPOINTpool/home/marks 277K 16.5G 277K /pool/home/marks

The following example shows how to display tank/home/chua and all of its descendent datasets.

# zfs list -r tank/home/chuaNAME USED AVAIL REFER MOUNTPOINTtank/home/chua 26.0K 4.81G 10.0K /tank/home/chuatank/home/chua/projects 16K 4.81G 9.0K /tank/home/chua/projectstank/home/chua/projects/fs1 8K 4.81G 8K /tank/home/chua/projects/fs1tank/home/chua/projects/fs2 8K 4.81G 8K /tank/home/chua/projects/fs2

For additional information about the zfs list command, see zfs(1M).

Creating Complex ZFS Queries

The zfs list output can be customized by using of the -o, -f, and -H options.

You can customize property value output by using the -o option and a comma-separated list of desiredproperties. Supply any dataset property as a valid value. For a list of all supported dataset properties, seeSection 5.2. In addition to the properties defined there, the -o option list can also contain the literal nameto indicate that the output should include the name of the dataset.

The following example uses zfs list to display the dataset name, along with the sharenfs and mountpointproperties.

# zfs list -o name,sharenfs,mountpointNAME SHARENFS MOUNTPOINTtank off /tanktank/home on /tank/hometank/home/ahrens on /tank/home/ahrenstank/home/bonwick on /tank/home/bonwicktank/home/chua on /tank/home/chuatank/home/eschrock on legacytank/home/moore on /tank/home/mooretank/home/tabriz ro /tank/home/tabriz

You can use the -t option to specify the types of datasets to display. The valid types are described in thefollowing table.

Table 5.2: Types of ZFS Datasets

Type Descriptionfilesystem File systems and clonesvolume Volumessnapshot Snapshots 87


The -t options takes a comma-separated list of the types of datasets to be displayed. The followingexample uses the -t and -o options simultaneously to show the name and used property for all filesystems:

# zfs list -t filesystem -o name,usedNAME USEDpool 476Kpool/clone 18Kpool/home 296Kpool/home/marks 277Kpool/test 18K

You can use the -H option to omit the zfs list header from the generated output. With the -H option, allwhite space is output as tabs. This option can be useful when you need parseable output, for example,when scripting. The following example shows the output generated from using the zfs list command withthe -H option:

# zfs list -H -o namepoolpool/clonepool/homepool/home/markspool/home/marks@snappool/test

5.4 Managing ZFS Properties

Dataset properties are managed through the zfs command’s set, inherit, and get subcommands.

• Section 5.4

• Section 5.4

• Section 5.4

Setting ZFS Properties

You can use the zfs set command to modify any settable dataset property. Or, you can use the zfs createcommand to set properties when the dataset is created. For a list of settable dataset properties, seeSection 5.2. The zfs set command takes a property/value sequence in the format of property=valueand a dataset name.

The following example sets the atime property to off for tank/home. Only one property can be set ormodified during each zfs set invocation.

# zfs set atime=off tank/home

In addition, any file system property can be set when the file system is created. For example:

# zfs create -o atime=off tank/home

88

5.4. Managing ZFS Properties

You can specify numeric properties by using the following easy to understand suffixes (in order ofmagnitude): BKMGTPEZ. Any of these suffixes can be followed by an optional b, indicating bytes, withthe exception of the B suffix, which already indicates bytes. The following four invocations of zfs set areequivalent numeric expressions indicating that the quota property be set to the value of 50 Gbytes on thetank/home/marks file system:

# zfs set quota=50G tank/home/marks# zfs set quota=50g tank/home/marks# zfs set quota=50GB tank/home/marks# zfs set quota=50gb tank/home/marks

Values of non-numeric properties are case-sensitive and must be lowercase, with the exception of mount-point and sharenfs. The values of these properties can have mixed upper and lower case letters.

For more information about the zfs set command, see zfs(1M).

Inheriting ZFS Properties

All settable properties, with the exception of quotas and reservations, inherit their value from their parent,unless a quota or reservation is explicitly set on the child. If no ancestor has an explicit value set for aninherited property, the default value for the property is used. You can use the zfs inherit command to cleara property setting, thus causing the setting to be inherited from the parent.

The following example uses the zfs set command to turn on compression for the tank/home/bonwickfile system. Then, zfs inherit is used to unset the compression property, thus causing the property toinherit the default setting of off. Because neither home nor tank have the compression property setlocally, the default value is used. If both had compression on, the value set in the most immediate ancestorwould be used (home in this example).

# zfs set compression=on tank/home/bonwick# zfs get -r compression tankNAME PROPERTY VALUE SOURCEtank compression off defaulttank/home compression off defaulttank/home/bonwick compression on local# zfs inherit compression tank/home/bonwick# zfs get -r compression tankNAME PROPERTY VALUE SOURCEtank compression off defaulttank/home compression off defaulttank/home/bonwick compression off default

The inherit subcommand is applied recursively when the -r option is specified. In the following example,the command causes the value for the compression property to be inherited by tank/home and anydescendents it might have.

# zfs inherit -r compression tank/home

NoteBe aware that the use of the -r option clears the current property setting for all descendent datasets.

For more information about the zfs command, see zfs(1M).

89


Querying ZFS Properties

The simplest way to query property values is by using the zfs list command. For more information, seeSection 5.3. However, for complicated queries and for scripting, use the zfs get command to provide moredetailed information in a customized format.

You can use the zfs get command to retrieve any dataset property. The following example shows how toretrieve a single property on a dataset:

# zfs get checksum tank/wsNAME PROPERTY VALUE SOURCEtank/ws checksum on default

The fourth column, SOURCE, indicates where this property value has been set from. The following tabledefines the meaning of the possible source values.

Table 5.3: Possible SOURCE Values (zfs get)

Source Value Description

defaultThis property was never explicitly set for this dataset or any ofits ancestors. The default value for this property is being used.

inherited from dataset-

name

This property value is being inherited from the parent asspecified by dataset-name.

localThis property value was explicitly set for this dataset by usingzfs set.

temporary

This property value was set by using the zfs mount -o optionand is only valid for the lifetime of the mount. For moreinformation about temporary mount point properties, seeSection 5.5.

- (none)This property is a read-only property. Its value is generated byZFS.

You can use the special keyword all to retrieve all dataset properties. The following example uses theall keyword to retrieve all existing dataset properties:

# zfs get all tankNAME PROPERTY VALUE SOURCEtank type filesystem -tank creation Wed Jan 23 9:57 2008 -tank used 120K -tank available 33.1G -tank referenced 24.0K -tank compressratio 1.00x -tank mounted yes -tank quota none defaulttank reservation none defaulttank recordsize 128K defaulttank mountpoint /tank defaulttank sharenfs off defaulttank checksum on defaulttank compression off default

90

5.4. Managing ZFS Properties

tank atime on defaulttank devices on defaulttank exec on defaulttank setuid on defaulttank readonly off defaulttank zoned off defaulttank snapdir hidden defaulttank aclmode groupmask defaulttank aclinherit secure defaulttank canmount on defaulttank shareiscsi off defaulttank xattr on defaulttank copies 1 defaulttank version 3 -tank utf8only off -tank normalization none -tank casesensitivity sensitive -tank vscan off defaulttank nbmand off defaulttank sharesmb off defaulttank refquota none defaulttank refreservation none default

The -s option to zfs get enables you to specify, by source value, the type of properties to display. Thisoption takes a comma-separated list indicating the desired source types. Only properties with the specifiedsource type are displayed. The valid source types are local, default, inherited, temporary,and none. The following example shows all properties that have been locally set on pool.

# zfs get -s local all poolNAME PROPERTY VALUE SOURCEpool compression on local

Any of the above options can be combined with the -r option to recursively display the specified propertieson all children of the specified dataset. In the following example, all temporary properties on all datasetswithin tank are recursively displayed:

# zfs get -r -s temporary all tankNAME PROPERTY VALUE SOURCEtank/home atime off temporarytank/home/bonwick atime off temporarytank/home/marks atime off temporary

A recent feature enables you to make queries with the zfs get command without specifying a target filesystem, which means it operates on all pools or file systems. For example:

# zfs get -s local alltank/home atime off localtank/home/bonwick atime off localtank/home/marks quota 50G local

For more information about the zfs get command, see zfs(1M).

Querying ZFS Properties for Scripting

The zfs get command supports the -H and -o options, which are designed for scripting. The -H optionindicates that any header information should be omitted and that all white space should come in the form

91


of tab. Uniform white space allows for easily parseable data. You can use the -o option to customizethe output. This option takes a comma-separated list of values to be output. All properties defined inSection 5.2, along with the literals name, value, property and source can be supplied in the -olist.

The following example shows how to retrieve a single value by using the -H and -o options of zfs get.# zfs get -H -o value compression tank/homeon

The -p option reports numeric values as their exact values. For example, 1 Mbyte would be reported as1000000. This option can be used as follows:

# zfs get -H -o value -p used tank/home182983742

You can use the -r option along with any of the above options to recursively retrieve the requested valuesfor all descendents. The following example uses the -r, -o, and -H options to retrieve the dataset nameand the value of the used property for export/home and its descendents, while omitting any headeroutput:

# zfs get -H -o name,value -r used export/homeexport/home 5.57Gexport/home/marks 1.43Gexport/home/maybee 2.15G

5.5 Mounting and Sharing ZFS File Systems

This section describes how mount points and shared file systems are managed in ZFS.

• Section 5.5

• Section 5.5

• Section 5.5

• Section 5.5

• Section 5.5

Managing ZFS Mount Points

By default, all ZFS file systems are mounted by ZFS at boot by using SMF’s svc://system/filesystem/local service. File systems are mounted under /path, where path is the name of the file system.

You can override the default mount point by setting the mountpoint property to a specific path by using thezfs set command. ZFS automatically creates this mount point, if needed, and automatically mounts thisfile system when the zfs mount -a command is invoked, without requiring you to edit the /etc/vfstabfile.

The mountpoint property is inherited. For example, if pool/home has mountpoint set to /export/stuff, then pool/home/user inherits /export/stuff/user for its mountpoint property.

92

5.5. Mounting and Sharing ZFS File Systems

The mountpoint property can be set to none to prevent the file system from being mounted. In addition,the canmount property is available for determining whether a file system can be mounted. For moreinformation about the canmount property, see Section 5.2.

If desired, file systems can also be explicitly managed through legacy mount interfaces by setting themountpoint property to legacy by using zfs set. Doing so prevents ZFS from automatically mountingand managing this file system. Legacy tools including the mount and umount commands, and the/etc/vfstab file must be used instead. For more information about legacy mounts, see Section 5.5.

When changing mount point management strategies, the following behaviors apply:

• Automatic mount point behavior

• Legacy mount point behavior

Automatic Mount Points

• When changing from legacy or none, ZFS automatically mounts the file system.

• If ZFS is currently managing the file system but it is currently unmounted, and the mountpoint propertyis changed, the file system remains unmounted.

You can also set the default mount point for the root dataset at creation time by using zpool create’s -moption. For more information about creating pools, see Section 4.3.

Any dataset whose mountpoint property is not legacy is managed by ZFS. In the following example, adataset is created whose mount point is automatically managed by ZFS.

# zfs create pool/filesystem# zfs get mountpoint pool/filesystemNAME PROPERTY VALUE SOURCEpool/filesystem mountpoint /pool/filesystem default# zfs get mounted pool/filesystemNAME PROPERTY VALUE SOURCEpool/filesystem mounted yes -

You can also explicitly set the mountpoint property as shown in the following example:

# zfs set mountpoint=/mnt pool/filesystem# zfs get mountpoint pool/filesystemNAME PROPERTY VALUE SOURCEpool/filesystem mountpoint /mnt local# zfs get mounted pool/filesystemNAME PROPERTY VALUE SOURCEpool/filesystem mounted yes -

When the mountpoint property is changed, the file system is automatically unmounted from the old mountpoint and remounted to the new mount point. Mount point directories are created as needed. If ZFS isunable to unmount a file system due to it being active, an error is reported and a forced manual unmount isnecessary.

93


Legacy Mount Points

You can manage ZFS file systems with legacy tools by setting the mountpoint property to legacy. Legacyfile systems must be managed through the mount and umount commands and the /etc/vfstab file.ZFS does not automatically mount legacy file systems on boot, and the ZFS mount and umount commanddo not operate on datasets of this type. The following examples show how to set up and manage a ZFSdataset in legacy mode:

# zfs set mountpoint=legacy tank/home/eschrock# mount -F zfs tank/home/eschrock /mnt

In addition, you must mount them by creating entries in the /etc/vfstab file. Otherwise, the system/filesystem/local service enters maintenance mode when the system boots.

To automatically mount a legacy file system on boot, you must add an entry to the /etc/vfstab file.The following example shows what the entry in the /etc/vfstab file might look like:

#device device mount FS fsck mount mount#to mount to fsck point type pass at boot options#

tank/home/eschrock - /mnt zfs - yes -

Note that the device to fsck and fsck pass entries are set to -. This syntax is because the fsckcommand is not applicable to ZFS file systems. For more information regarding data integrity and the lackof need for fsck in ZFS, see Section 1.2.

Mounting ZFS File Systems

ZFS automatically mounts file systems when file systems are created or when the system boots. Useof the zfs mount command is necessary only when changing mount options or explicitly mounting orunmounting file systems.

The zfs mount command with no arguments shows all currently mounted file systems that are managedby ZFS. Legacy managed mount points are not displayed. For example:

# zfs mounttank /tanktank/home /tank/hometank/home/bonwick /tank/home/bonwicktank/ws /tank/ws

You can use the -a option to mount all ZFS managed file systems. Legacy managed file systems are notmounted. For example:

# zfs mount -a

By default, ZFS does not allow mounting on top of a nonempty directory. To force a mount on top of anonempty directory, you must use the -O option. For example:

# zfs mount tank/home/laltcannot mount ’/export/home/lalt’: directory is not emptyuse legacy mountpoint to allow this behavior, or use the -O flag# zfs mount -O tank/home/lalt

94


Legacy mount points must be managed through legacy tools. An attempt to use ZFS tools results in anerror. For example:

# zfs mount pool/home/billmcannot mount ’pool/home/billm’: legacy mountpointuse mount(1M) to mount this filesystem# mount -F zfs tank/home/billm

When a file system is mounted, it uses a set of mount options based on the property values associated withthe dataset. The correlation between properties and mount options is as follows:

PropertyMount Options

devicesdevices/nodevices

exec exec/noexec

readonlyro/rw

setuidsetuid/nosetuid

The mount option nosuid is an alias for nodevices,nosetuid.

You can use the NFSv4 mirror mount features to help you better manage NFS-mounted ZFS homedirectories. For a description of mirror mounts, see Section 1.1.

Using Temporary Mount Properties

If any of the above options are set explicitly by using the -o option with the zfs mount command, theassociated property value is temporarily overridden. These property values are reported as temporaryby the zfs get command and revert back to their original settings when the file system is unmounted. If aproperty value is changed while the dataset is mounted, the change takes effect immediately, overridingany temporary setting.

In the following example, the read-only mount option is temporarily set on the tank/home/perrinfile system:

# zfs mount -o ro tank/home/perrin

In this example, the file system is assumed to be unmounted. To temporarily change a property on a filesystem that is currently mounted, you must use the special remount option. In the following example,the atime property is temporarily changed to off for a file system that is currently mounted:

# zfs mount -o remount,noatime tank/home/perrin# zfs get atime tank/home/perrinNAME PROPERTY VALUE SOURCEtank/home/perrin atime off temporary

For more information about the zfs mount command, see zfs(1M).

95


Unmounting ZFS File Systems

You can unmount file systems by using the zfs unmount subcommand. The unmount command can takeeither the mount point or the file system name as arguments.

In the following example, a file system is unmounted by file system name:# zfs unmount tank/home/tabriz

In the following example, the file system is unmounted by mount point:# zfs unmount /export/home/tabriz

The unmount command fails if the file system is active or busy. To forceably unmount a file system, youcan use the -f option. Be cautious when forceably unmounting a file system, if its contents are activelybeing used. Unpredictable application behavior can result.# zfs unmount tank/home/eschrockcannot unmount ’/export/home/eschrock’: Device busy# zfs unmount -f tank/home/eschrock

To provide for backwards compatibility, the legacy umount command can be used to unmount ZFS filesystems. For example:# umount /export/home/bob

For more information about the zfs umount command, see zfs(1M).

Sharing and Unsharing ZFS File Systems

Similar to mount points, ZFS can automatically share file systems by using the sharenfs property. Usingthis method, you do not have to modify the /etc/dfs/dfstab file when a new file system is added.The sharenfs property is a comma-separated list of options to pass to the share command. The special valueon is an alias for the default share options, which are read/write permissions for anyone. The specialvalue off indicates that the file system is not managed by ZFS and can be shared through traditionalmeans, such as the /etc/dfs/dfstab file. All file systems whose sharenfs property is not off areshared during boot.

Controlling Share Semantics

By default, all file systems are unshared. To share a new file system, use zfs set syntax similar to thefollowing:# zfs set sharenfs=on tank/home/eschrock

The property is inherited, and file systems are automatically shared on creation if their inherited propertyis not off. For example:# zfs set sharenfs=on tank/home# zfs create tank/home/bricker# zfs create tank/home/tabriz# zfs set sharenfs=ro tank/home/tabriz

Both tank/home/bricker and tank/home/tabriz are initially shared writable because theyinherit the sharenfs property from tank/home. Once the property is set to ro (readonly), tank/home/tabriz is shared read-only regardless of the sharenfs property that is set for tank/home.

96


Unsharing ZFS File Systems

While most file systems are automatically shared and unshared during boot, creation, and destruction, filesystems sometimes need to be explicitly unshared. To do so, use the zfs unshare command. For example:

# zfs unshare tank/home/tabriz

This command unshares the tank/home/tabriz file system. To unshare all ZFS file systems on thesystem, you need to use the -a option.

# zfs unshare -a

Sharing ZFS File Systems

Most of the time the automatic behavior of ZFS, sharing on boot and creation, is sufficient for normaloperation. If, for some reason, you unshare a file system, you can share it again by using the zfs sharecommand. For example:

# zfs share tank/home/tabriz

You can also share all ZFS file systems on the system by using the -a option.

# zfs share -a

Legacy Share Behavior

If the sharenfs property is off, then ZFS does not attempt to share or unshare the file system at any time.This setting enables you to administer through traditional means such as the /etc/dfs/dfstab file.

Unlike the traditional mount command, the traditional share and unshare commands can still functionon ZFS file systems. As a result, you can manually share a file system with options that are differentfrom the settings of the sharenfs property. This administrative model is discouraged. Choose to eithermanage NFS shares completely through ZFS or completely through the /etc/dfs/dfstab file. TheZFS administrative model is designed to be simpler and less work than the traditional model. However, insome cases, you might still want to control file system sharing behavior through the familiar model.

Sharing ZFS Files in a Solaris CIFS Environment

The sharesmb property is provided to share ZFS files by using the Solaris CIFS software product.When this property is set on a ZFS file system, these shares are visible to CIFS client systems. For moreinformation about using the CIFS software product, see the System Administration Guide: WindowsInteroperability.

For a detailed description of the sharesmb property, see Section 5.2.

97


Example 5.1: Example—Sharing ZFS File Systems (sharesmb)

In this example, a ZFS file system sandbox/fs1 is created and shared with the sharesmb property.If necessary, enable the SMB services.

# svcadm enable -r smb/serversvcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.# svcs | grep smbonline 10:47:15 svc:/network/smb/server:default

# zpool create sandbox mirror c0t2d0 c0t4d0# zfs create sandbox/fs1# zfs set sharesmb=on sandbox/fs1

The sharesmb property is set for sandbox/fs1 and its descendents.Verify that the file system was shared. For example:

# sharemgr show -vpdefault nfs=()zfs nfs=()

zfs/sandbox/fs1 smb=()sandbox_fs1=/sandbox/fs1

A default SMB resource name, sandbox_fs1, is assigned automatically.In this example, another file system is created, sandbox/fs2, and shared with a resource name, myshare.

# zfs create sandbox/fs2# zfs set sharesmb=name=myshare sandbox/fs2# sharemgr show -vpdefault nfs=()zfs nfs=()


zfs/sandbox/fs2 smb=()myshare=/sandbox/fs2

The sandbox/fs2/fs2_sub1 file system is created and is automatically shared. The inherited re-source name is myshare_fs2_sub1.

# zfs create sandbox/fs2/fs2_sub1# sharemgr show -vpdefault nfs=()zfs nfs=()


zfs/sandbox/fs2 smb=()myshare=/sandbox/fs2myshare_fs2_sub1=/sandbox/fs2/fs2_sub1

Disable SMB sharing for sandbox/fs2 and its descendents.

# zfs set sharesmb=off sandbox/fs2# sharemgr show -vpdefault nfs=()zfs nfs=()


98

5.6. ZFS Quotas and Reservations

In this example, the sharesmb property is set on the pool’s top-level file system. The descendent filesystems are automatically shared.

# zpool create sandbox mirror c0t2d0 c0t4d0# zfs set sharesmb=on sandbox# zfs create sandbox/fs1# zfs create sandbox/fs2

The top-level file system has a resource name of sandbox, but the descendents have their dataset nameappended to the resource name.

# sharemgr show -vpdefault nfs=()zfs nfs=()

zfs/sandbox smb=()sandbox=/sandboxsandbox_fs1=/sandbox/fs1 smb=()sandbox_fs2=/sandbox/fs2 smb=()

5.6 ZFS Quotas and Reservations

ZFS supports quotas and reservations at the file system level. You can use the quota property to set a limiton the amount of space a file system can use. In addition, you can use the reservation property to guaranteethat some amount of space is available to a file system. Both properties apply to the dataset they are set onand all descendents of that dataset.

That is, if a quota is set on the tank/home dataset, the total amount of space used by tank/homeand all of its descendents cannot exceed the quota. Similarly, if tank/home is given a reservation,tank/home and all of its descendents draw from that reservation. The amount of space used by a datasetand all of its descendents is reported by the used property.

In addition to the quota and reservation property, the refquota and refreservation prop-erties are available to manage file system space without accounting for space consumed by descendents,such as snapshots and clones.

Consider the following points to determine which quota and reservations features might better manageyour file systems:

• The quota and reservation properties are convenient for managing space consumed by datasets.

• The refquota and refreservation properties are appropriate for managing space consumed bydatasets and snapshots.

• Setting refquota or refreservation higher than quota or reservation have no effect. If you setthe quota or refquota properties, operations that try to exceed either value fail. It is possible to aexceed a quota that is greater than refquota. If some snapshot blocks are dirtied, you might actuallyexceed the quota before you exceed the refquota.

For more information, see the examples below.

99


Setting Quotas on ZFS File Systems

ZFS quotas can be set and displayed by using the zfs set and zfs get commands. In the following example,a quota of 10 Gbytes is set on tank/home/bonwick.

# zfs set quota=10G tank/home/bonwick# zfs get quota tank/home/bonwickNAME PROPERTY VALUE SOURCEtank/home/bonwick quota 10.0G local

ZFS quotas also impact the output of the zfs list and df commands. For example:

# zfs listNAME USED AVAIL REFER MOUNTPOINTtank/home 16.5K 33.5G 8.50K /export/hometank/home/bonwick 15.0K 10.0G 8.50K /export/home/bonwicktank/home/bonwick/ws 6.50K 10.0G 8.50K /export/home/bonwick/ws# df -h /export/home/bonwickFilesystem size used avail capacity Mounted ontank/home/bonwick 10G 8K 10G 1% /export/home/bonwick

Note that although tank/home has 33.5 Gbytes of space available, tank/home/bonwick andtank/home/bonwick/ws only have 10 Gbytes of space available, due to the quota on tank/home/bonwick.

You cannot set a quota to an amount less than is currently being used by a dataset. For example:

# zfs set quota=10K tank/home/bonwickcannot set quota for ’tank/home/bonwick’: size is less than current used orreserved space

You can set a refquota on a dataset that limits the amount of space that the dataset can consume. Thishard limit does not include space that is consumed by snapshots and clones. For example:

# zfs set refquota=10g students/studentA# zfs listNAME USED AVAIL REFER MOUNTPOINTprofs 106K 33.2G 18K /profsstudents 57.7M 33.2G 19K /studentsstudents/studentA 57.5M 9.94G 57.5M /students/studentA# zfs snapshot students/studentA@today# zfs listNAME USED AVAIL REFER MOUNTPOINTprofs 106K 33.2G 18K /profsstudents 57.7M 33.2G 19K /studentsstudents/studentA 57.5M 9.94G 57.5M /students/studentAstudents/studentA@today 0 - 57.5M -

For additional convenience, you can set another quota on a dataset to help manage the space that isconsumed by snapshots. For example:

# zfs set quota=20g students/studentA# zfs listNAME USED AVAIL REFER MOUNTPOINTprofs 106K 33.2G 18K /profsstudents 57.7M 33.2G 19K /studentsstudents/studentA 57.5M 9.94G 57.5M /students/studentAstudents/studentA@today 0 - 57.5M -

100

5.6. ZFS Quotas and Reservations

In this scenario, studentA can bump into the refquota (10 Gbytes) hard limit and remove files to recovereven if snapshots exist.

In the above example, the smaller of the two quotas (10 Gbytes versus 20 Gbytes) is displayed in the zfslist output. To see the value of both quotas, use the zfs get command. For example:

# zfs get refquota,quota students/studentANAME PROPERTY VALUE SOURCEstudents/studentA refquota 10G localstudents/studentA quota 20G local

Setting Reservations on ZFS File Systems

A ZFS reservation is an allocation of space from the pool that is guaranteed to be available to a dataset.As such, you cannot reserve space for a dataset if that space is not currently available in the pool. The totalamount of all outstanding unconsumed reservations cannot exceed the amount of unused space in the pool.ZFS reservations can be set and displayed by using the zfs set and zfs get commands. For example:

# zfs set reservation=5G tank/home/moore# zfs get reservation tank/home/mooreNAME PROPERTY VALUE SOURCEtank/home/moore reservation 5.00G local

ZFS reservations can affect the output of the zfs list command. For example:

# zfs listNAME USED AVAIL REFER MOUNTPOINTtank/home 5.00G 33.5G 8.50K /export/hometank/home/moore 15.0K 10.0G 8.50K /export/home/moore

Note that tank/home is using 5 Gbytes of space, although the total amount of space referred to bytank/home and its descendents is much less than 5 Gbytes. The used space reflects the space reservedfor tank/home/moore. Reservations are considered in the used space of the parent dataset and docount against its quota, reservation, or both.

# zfs set quota=5G pool/filesystem# zfs set reservation=10G pool/filesystem/user1cannot set reservation for ’pool/filesystem/user1’: size is greater thanavailable space

A dataset can use more space than its reservation, as long as space is available in the pool that is unreservedand the dataset’s current usage is below its quota. A dataset cannot consume space that has been reservedfor another dataset.

Reservations are not cumulative. That is, a second invocation of zfs set to set a reservation does not addits reservation to the existing reservation. Rather, the second reservation replaces the first reservation.

# zfs set reservation=10G tank/home/moore# zfs set reservation=5G tank/home/moore# zfs get reservation tank/home/mooreNAME PROPERTY VALUE SOURCEtank/home/moore reservation 5.00G local

You can set a refreservation to guarantee space for a dataset that does not include space consumedby snapshots and clones. The refreservation reservation is accounted for in the parent datasets’space used, and counts against the parent datasets’ quotas and reservations. For example:

101


# zfs set refreservation=10g profs/prof1# zfs listNAME USED AVAIL REFER MOUNTPOINTprofs 10.0G 23.2G 19K /profsprofs/prof1 10G 33.2G 18K /profs/prof1

You can also set a reservation on the same dataset to guarantee dataset space and snapshot space. Forexample:

# zfs set reservation=20g profs/prof1# zfs listNAME USED AVAIL REFER MOUNTPOINTprofs 20.0G 13.2G 19K /profsprofs/prof1 10G 33.2G 18K /profs/prof1

Regular reservations are accounted for in the parent’s used space.

In the above example, the smaller of the two quotas (10 Gbytes versus 20 Gbytes) is displayed in the zfslist output. To see the value of both quotas, use the zfs get command. For example:

# zfs get reservation,refreserv profs/prof1NAME PROPERTY VALUE SOURCEprofs/prof1 reservation 20G localprofs/prof1 refreservation 10G local

If refreservation is set, a snapshot is only allowed if enough free pool space exists outside of thisreservation to accommodate the current number of referenced bytes in the dataset.

102

Chapter 6

Working With ZFS Snapshots and Clones

This chapter describes how to create and manage ZFS snapshots and clones. Information about savingsnapshots is also provided in this chapter.


• Section 6.1

• Section 6.1

• Section 6.1

• Section 6.1

• Section 6.2

• Section 6.2

• Section 6.2

• Section 6.3

6.1 Overview of ZFS Snapshots

A snapshot is a read-only copy of a file system or volume. Snapshots can be created almost instantly, andinitially consume no additional disk space within the pool. However, as data within the active datasetchanges, the snapshot consumes disk space by continuing to reference the old data and so prevents thespace from being freed.

ZFS snapshots include the following features:

• Persist across system reboots.

• The theoretical maximum number of snapshots is 264.

• Use no separate backing store. Snapshots consume disk space directly from the same storage pool as thefile system from which they were created.

103

6. WORKING WITH ZFS SNAPSHOTS AND CLONES

• Recursive snapshots are created quickly as one atomic operation. The snapshots are created together(all at once) or not created at all. The benefit of atomic snapshots operations is that the snapshot data isalways taken at one consistent time, even across descendent file systems.

Snapshots of volumes cannot be accessed directly, but they can be cloned, backed up, rolled back to, andso on. For information about backing up a ZFS snapshot, see Section 6.3.

Creating and Destroying ZFS Snapshots

Snapshots are created by using the zfs snapshot command, which takes as its only argument the name ofthe snapshot to create. The snapshot name is specified as follows:

filesystem@snapnamevolume@snapname

The snapshot name must satisfy the naming conventions defined in Section 1.4.

In the following example, a snapshot of tank/home/ahrens that is named friday is created.

# zfs snapshot tank/home/ahrens@friday

You can create snapshots for all descendent file systems by using the -r option. For example:

# zfs snapshot -r tank/home@now# zfs list -t snapshotNAME USED AVAIL REFER MOUNTPOINTtank/home@now 0 - 29.5K -tank/home/ahrens@now 0 - 2.15M -tank/home/anne@now 0 - 1.89M -tank/home/bob@now 0 - 1.89M -tank/home/cindys@now 0 - 2.15M -

Snapshots have no modifiable properties. Nor can dataset properties be applied to a snapshot.

# zfs set compression=on tank/home/ahrens@tuesdaycannot set compression property for ’tank/home/ahrens@tuesday’: snapshotproperties cannot be modified

Snapshots are destroyed by using the zfs destroy command. For example:

# zfs destroy tank/home/ahrens@friday

A dataset cannot be destroyed if snapshots of the dataset exist. For example:

# zfs destroy tank/home/ahrenscannot destroy ’tank/home/ahrens’: filesystem has childrenuse ’-r’ to destroy the following datasets:tank/home/ahrens@tuesdaytank/home/ahrens@wednesdaytank/home/ahrens@thursday

In addition, if clones have been created from a snapshot, then they must be destroyed before the snapshotcan be destroyed.

For more information about the destroy subcommand, see Section 5.1.

104

6.1. Overview of ZFS Snapshots

Renaming ZFS Snapshots

You can rename snapshots but they must be renamed within the pool and dataset from which they werecreated. For example:

# zfs rename tank/home/cindys@083006 tank/home/cindys@today

In addition, the following shortcut syntax provides equivalent snapshot renaming syntax as the exampleabove.

# zfs rename tank/home/cindys@083006 today

The following snapshot rename operation is not supported because the target pool and file system nameare different from the pool and file system where the snapshot was created.

# zfs rename tank/home/cindys@today pool/home/cindys@saturdaycannot rename to ’pool/home/cindys@today’: snapshots must be part of samedataset

You can recursively rename snapshots with the zfs rename -r command. For example:

# zfs listNAME USED AVAIL REFER MOUNTPOINTusers 270K 16.5G 22K /usersusers/home 76K 16.5G 22K /users/homeusers/home@yesterday 0 - 22K -users/home/markm 18K 16.5G 18K /users/home/markmusers/home/markm@yesterday 0 - 18K -users/home/marks 18K 16.5G 18K /users/home/marksusers/home/marks@yesterday 0 - 18K -users/home/neil 18K 16.5G 18K /users/home/neilusers/home/neil@yesterday 0 - 18K -# zfs rename -r users/home@yesterday @2daysago# zfs list -r users/homeNAME USED AVAIL REFER MOUNTPOINTusers/home 76K 16.5G 22K /users/homeusers/home@2daysago 0 - 22K -users/home/markm 18K 16.5G 18K /users/home/markmusers/home/markm@2daysago 0 - 18K -users/home/marks 18K 16.5G 18K /users/home/marksusers/home/marks@2daysago 0 - 18K -users/home/neil 18K 16.5G 18K /users/home/neilusers/home/neil@2daysago 0 - 18K -

Displaying and Accessing ZFS Snapshots

Snapshots of file systems are accessible in the .zfs/snapshot directory within the root of thecontaining file system. For example, if tank/home/ahrens is mounted on /home/ahrens, thenthe tank/home/ahrens@thursday snapshot data is accessible in the /home/ahrens/.zfs/snapshot/thursday directory.

# ls /tank/home/ahrens/.zfs/snapshottuesday wednesday thursday

You can list snapshots as follows:

105


# zfs list -t snapshotNAME USED AVAIL REFER MOUNTPOINTpool/home/anne@monday 0 - 780K -pool/home/bob@monday 0 - 1.01M -tank/home/ahrens@tuesday 8.50K - 780K -tank/home/ahrens@wednesday 8.50K - 1.01M -tank/home/ahrens@thursday 0 - 1.77M -tank/home/cindys@today 8.50K - 524K -

You can list snapshots that were created for a particular file system as follows:

# zfs list -r -t snapshot -o name,creation tank/homeNAME CREATIONtank/home@now Wed Aug 30 10:53 2006tank/home/ahrens@tuesday Wed Aug 30 10:53 2006tank/home/ahrens@wednesday Wed Aug 30 10:54 2006tank/home/ahrens@thursday Wed Aug 30 10:53 2006tank/home/cindys@now Wed Aug 30 10:57 2006

Snapshot Space Accounting

When a snapshot is created, its space is initially shared between the snapshot and the file system, andpossibly with previous snapshots. As the file system changes, space that was previously shared becomesunique to the snapshot, and thus is counted in the snapshot’s used property. Additionally, deleting snapshotscan increase the amount of space unique to (and thus used by) other snapshots.

A snapshot’s space referenced property is the same as the file system’s was when the snapshot was created.

Rolling Back to a ZFS Snapshot

The zfs rollback command can be used to discard all changes made since a specific snapshot. The filesystem reverts to its state at the time the snapshot was taken. By default, the command cannot roll back toa snapshot other than the most recent snapshot.

To roll back to an earlier snapshot, all intermediate snapshots must be destroyed. You can destroy earliersnapshots by specifying the -r option.

If clones of any intermediate snapshots exist, the -R option must be specified to destroy the clones as well.

NoteThe file system that you want to roll back must be unmounted and remounted, if it is currently mounted.If the file system cannot be unmounted, the rollback fails. The -f option forces the file system to beunmounted, if necessary.

In the following example, the tank/home/ahrens file system is rolled back to the tuesday snapshot:

# zfs rollback tank/home/ahrens@tuesdaycannot rollback to ’tank/home/ahrens@tuesday’: more recent snapshots existuse ’-r’ to force deletion of the following snapshots:tank/home/ahrens@wednesdaytank/home/ahrens@thursday# zfs rollback -r tank/home/ahrens@tuesday

106

6.2. Overview of ZFS Clones

In the above example, the wednesday and thursday snapshots are removed because you rolled backto the previous tuesday snapshot.# zfs list -r -t snapshot -o name,creation tank/home/ahrensNAME CREATIONtank/home/ahrens@tuesday Wed Aug 30 10:53 2006

6.2 Overview of ZFS Clones

A clone is a writable volume or file system whose initial contents are the same as the dataset from whichit was created. As with snapshots, creating a clone is nearly instantaneous, and initially consumes noadditional disk space. In addition, you can snapshot a clone.

• Section 6.2

• Section 6.2

• Section 6.2

Clones can only be created from a snapshot. When a snapshot is cloned, an implicit dependency is createdbetween the clone and snapshot. Even though the clone is created somewhere else in the dataset hierarchy,the original snapshot cannot be destroyed as long as the clone exists. The origin property exposes thisdependency, and the zfs destroy command lists any such dependencies, if they exist.

Clones do not inherit the properties of the dataset from which it was created. Use the zfs get and zfs setcommands to view and change the properties of a cloned dataset. For more information about setting ZFSdataset properties, see Section 5.4.

Because a clone initially shares all its disk space with the original snapshot, its used property is initiallyzero. As changes are made to the clone, it uses more space. The used property of the original snapshotdoes not consider the disk space consumed by the clone.

Creating a ZFS Clone

To create a clone, use the zfs clone command, specifying the snapshot from which to create the clone, andthe name of the new file system or volume. The new file system or volume can be located anywhere inthe ZFS hierarchy. The type of the new dataset (for example, file system or volume) is the same type asthe snapshot from which the clone was created. You cannot create clone of a file system in a pool that isdifferent from where the original file system snapshot resides.

In the following example, a new clone named tank/home/ahrens/bug123 with the same initialcontents as the snapshot tank/ws/gate@yesterday is created.# zfs snapshot tank/ws/gate@yesterday# zfs clone tank/ws/gate@yesterday tank/home/ahrens/bug123

In the following example, a cloned workspace is created from the projects/newproject@todaysnapshot for a temporary user as projects/teamA/tempuser. Then, properties are set on the clonedworkspace.# zfs snapshot projects/newproject@today# zfs clone projects/newproject@today projects/teamA/tempuser# zfs set sharenfs=on projects/teamA/tempuser# zfs set quota=5G projects/teamA/tempuser

107


Destroying a ZFS Clone

ZFS clones are destroyed by using the zfs destroy command. For example:

# zfs destroy tank/home/ahrens/bug123

Clones must be destroyed before the parent snapshot can be destroyed.

Replacing a ZFS File System With a ZFS Clone

You can use the zfs promote command to replace an active ZFS file system with a clone of that file system.This feature facilitates the ability to clone and replace file systems so that the “origin” file system becomethe clone of the specified file system. In addition, this feature makes it possible to destroy the file systemfrom which the clone was originally created. Without clone promotion, you cannot destroy a “origin” filesystem of active clones. For more information about destroying clones, see Section 6.2.

In the following example, the tank/test/productA file system is cloned and then the clone filesystem, tank/test/productAbeta becomes the tank/test/productA file system.

# zfs create tank/test# zfs create tank/test/productA# zfs snapshot tank/test/productA@today# zfs clone tank/test/productA@today tank/test/productAbeta# zfs list -r tank/testNAME USED AVAIL REFER MOUNTPOINTtank/test 314K 8.24G 25.5K /tank/testtank/test/productA 288K 8.24G 288K /tank/test/productAtank/test/productA@today 0 - 288K -tank/test/productAbeta 0 8.24G 288K /tank/test/productAbeta# zfs promote tank/test/productAbeta# zfs list -r tank/testNAME USED AVAIL REFER MOUNTPOINTtank/test 316K 8.24G 27.5K /tank/testtank/test/productA 0 8.24G 288K /tank/test/productAtank/test/productAbeta 288K 8.24G 288K /tank/test/productAbetatank/test/productAbeta@today 0 - 288K -

In the above zfs -list output, you can see that the space accounting of the original productA filesystem has been replaced with the productAbeta file system.

Complete the clone replacement process by renaming the file systems. For example:

# zfs rename tank/test/productA tank/test/productAlegacy# zfs rename tank/test/productAbeta tank/test/productA# zfs list -r tank/testNAME USED AVAIL REFER MOUNTPOINTtank/test 316K 8.24G 27.5K /tank/testtank/test/productA 288K 8.24G 288K /tank/test/productAtank/test/productA@today 0 - 288K -tank/test/productAlegacy 0 8.24G 288K /tank/test/productAlegacy

Optionally, you can remove the legacy file system. For example:

# zfs destroy tank/test/productAlegacy

108

6.3. Saving and Restoring ZFS Data

6.3 Saving and Restoring ZFS Data

The zfs send command creates a stream representation of a snapshot that is written to standard output.By default, a full stream is generated. You can redirect the output to a file or to a different system. Thezfs receive command creates a snapshot whose contents are specified in the stream that is provided onstandard input. If a full stream is received, a new file system is created as well. You can save ZFS snapshotdata and restore ZFS snapshot data and file systems with these commands. See the examples in the nextsection.

• Section 6.3

• Section 6.3

• Section 6.3

• Section 6.3

The following solutions for saving ZFS data are provided:

• Saving ZFS snapshots and rolling back snapshots, if necessary.

• Saving full and incremental copies of ZFS snapshots and restoring the snapshots and file systems, ifnecessary.

• Remotely replicating ZFS file systems by saving and restoring ZFS snapshots and file systems.

• Saving ZFS data with archive utilities such as tar and cpio or third-party backup products.

Consider the following when choosing a solution for saving ZFS data:

• File system snapshots and rolling back snapshots – Use the zfs snapshot and zfs rollback commands ifyou want to easily create a copy of a file system and revert back to a previous file system version, ifnecessary. For example, if you want to restore a file or files from a previous version of a file system, youcould use this solution.

For more information about creating and rolling back to a snapshot, see Section 6.1.

• Saving snapshots – Use the zfs send and zfs receive commands to save and restore a ZFS snapshot. Youcan save incremental changes between snapshots, but you cannot restore files individually. You mustrestore the entire file system snapshot.

• Remote replication – Use the zfs send and zfs receive commands when you want to copy a file systemfrom one system to another. This process is different from a traditional volume management product thatmight mirror devices across a WAN. No special configuration or hardware is required. The advantageof replicating a ZFS file system is that you can re-create a file system on a storage pool on anothersystem, and specify different levels of configuration for the newly created pool, such as RAID-Z, butwith identical file system data.

109


Saving ZFS Data With Other Backup Products

In addition to the zfs send and zfs receive commands, you can also use archive utilities, such as tar(1) andcpio(1), to save ZFS files. All of these utilities save and restore ZFS file attributes and ACLs. Check theappropriate options for the tar and cpio commands.

For up-to-date information about issues with ZFS and third-party backup products, please see the SolarisExpress Developer Edition release notes.

http://opensolaris.org/os/community/zfs/faq/#backupsoftware

Saving a ZFS Snapshot

The most common use of the zfs send command is to save a copy of a snapshot and receive the snapshoton another system that is used to store backup data. For example:

host1# zfs send tank/dana@snap1 | ssh host2 zfs recv newtank/dana

When sending a full stream, the destination file system must not exist.

You can save incremental data by using the zfs send -i option. For example:

host1# zfs send -i tank/dana@snap1 tank/dana@snap2 | ssh host2 zfs recv newtank/dana

Note that the first argument is the earlier snapshot and the second argument is the later snapshot. In thiscase, the newtank/dana file system must exist for the incremental receive to be successful.

The incremental snapshot1 source can be specified as the last component of the snapshot name. Thisshortcut means you only have to specify the name after the @ sign for snapshot1, which is assumed tobe from the same file system as snapshot2. For example:

host1# zfs send -i snap1 tank/dana@snap2 > ssh host2 zfs recv newtank/dana

This syntax is equivalent to the above example of the incremental syntax.

The following message is displayed if you attempt to generate an incremental stream from a different filesystem snapshot1:

cannot send ’pool/fs@name’: not an earlier snapshot from the same fs

If you need to store many copies, you might consider compressing a ZFS snapshot stream representationwith the gzip command. For example:

# zfs send pool/fs@snap | gzip > backupfile.gz

Restoring a ZFS Snapshot

Keep the following key points in mind when you restore a file system snapshot:

• The snapshot and the file system are restored.

• The file system and all descendent file systems are unmounted.

• The file systems are inaccessible while they are being restored.

110


• The original file system to be restored must not exist while it is being restored.

• If a conflicting file system name exists, zfs rename can be used to rename the file system.

For example:

# zfs send tank/gozer@0830 > /bkups/gozer.083006# zfs receive tank/gozer2@today < /bkups/gozer.083006# zfs rename tank/gozer tank/gozer.old# zfs rename tank/gozer2 tank/gozer

You can use zfs recv as an alias for the zfs receive command.

If you make a change to the file system and you want to do another incremental send of a snapshot, youmust first rollback the receiving file system.

For example, if you make a change to the file system as follows:

host2# rm newtank/dana/file.1

And you do an incremental send of tank/dana@snap3, you must first rollback the receiving file systemto receive the new incremental snapshot. You can eliminate the rollback step by using the -F option. Forexample:

host1# zfs send -i tank/dana@snap2 tank/dana@snap3 | ssh host2 zfs recv -F newtank/dana

When you receive an incremental snapshot, the destination file system must already exist.

If you make changes to the file system and you do not rollback the receiving file system to receive the newincremental snapshot or you do not use the -F option, you will see the following message:

host1# zfs send -i tank/dana@snap4 tank/dana@snap5 | ssh host2 zfs recv newtank/danacannot receive: destination has been modified since most recent snapshot

The following checks are performed before the -F option is successful:

• If the most recent snapshot doesn’t match the incremental source, neither the rollback nor the receive iscompleted, and an error message is returned.

• If you accidentally provide the name of different file system that doesn’t match the incremental sourceto the zfs receive command, neither the rollback nor the receive is completed, and the following errormessage is returned.

cannot send ’pool/fs@name’: not an earlier snapshot from the same fs

Sending and Receiving Complex ZFS Snapshot Streams

This section describes how to use the zfs send -I and -R options to send and receive more complexsnapshot streams.

Keep the following points in mind when sending and receiving ZFS snapshot streams:

• Use the zfs send -I option to send all incremental streams from one snapshot to a cumulative snapshot.Or, use this option to send an incremental stream from the origin snapshot to create a clone. The originalsnapshot must already exist on the receiving side to accept the incremental stream.

111


• Use the zfs send -R option to send a replication stream of all descendent file systems. When received,all properties, snapshots, descendent file systems, and clones are preserved.

• Or use both options to send an incremental replication stream.

– Changes to properties and snapshot and file system renames and destroys are preserved.

– If zfs recv -F is not specified when receiving the replication stream, dataset destroys are ignored.The zfs recv -F syntax in this case also retains its rollback if necessary meaning.

– As with other (non zfs send -R) -i or -I cases, if -I is used, all snapshots between snapA andsnapD are sent. If -i is used, only snapD (for all descendents) are sent.

• To receive any of these new types of zfs send streams, the receiving system must be running a softwareversion capable of sending them. The stream version is incremented.

• However, you can access streams from older pool versions by using a newer software version, which canalso access newer pool versions. For example, you can send and receive streams created with the neweroptions to and from a version 3 pool. But, you must be running recent software to receive a stream sentwith the newer options.

Example 6.1: Examples—Sending and Receiving Complex ZFS Snapshot Streams

A group of incremental snapshots can be combined into one snapshot by using the zfs send -I option.For example:

# zfs send -I pool/fs@snapA pool/fs@snapD > /snaps/fs@all-I

Remove snapshots B, C, and D.

# zfs destroy pool/fs@snapB# zfs destroy pool/fs@snapC# zfs destroy pool/fs@snapD

Restore the combined snapshot.

# zfs receive -d -F pool/fs < /snaps/fs@all-I# zfs listNAME USED AVAIL REFER MOUNTPOINTpool 428K 16.5G 20K /poolpool/fs 71K 16.5G 21K /pool/fspool/fs@snapA 16K - 18.5K -pool/fs@snapB 17K - 20K -pool/fs@snapC 17K - 20.5K -pool/fs@snapD 0 - 21K -

You can also use the zfs send -I command to combine a snapshot and a clone snapshot to create acombined dataset. For example:

# zfs create pool/fs# zfs snapshot pool/fs@snap1# zfs clone pool/fs@snap1 pool/clone# zfs snapshot pool/clone@snapA# zfs send -I pool/fs@snap1 pool/clone@snapA > /snaps/fsclonesnap-I# zfs destroy pool/clone@snapA# zfs destroy pool/clone# zfs receive -F pool/clone < /snaps/fsclonesnap-I

112


Use the zfs send -R command to replicate a ZFS file system and all descendent file systems, up tothe named snapshot. When received, all properties, snapshots, descendent file systems, and clones arepreserved.In the following example, snapshots are created of user file systems. One replication stream is created ofall user snapshots. Then, the original file systems and snapshots are destroyed and recovered.

# zfs snapshot -r users@today# zfs listNAME USED AVAIL REFER MOUNTPOINTusers 187K 33.2G 22K /usersusers@today 0 - 22K -users/user1 18K 33.2G 18K /users/user1users/user1@today 0 - 18K -users/user2 18K 33.2G 18K /users/user2users/user2@today 0 - 18K -users/user3 18K 33.2G 18K /users/user3users/user3@today 0 - 18K -# zfs send -R users@today > /snaps/users-R# zfs destroy -r users# zfs receive -F -d users < /snaps/users-R# zfs listNAME USED AVAIL REFER MOUNTPOINTusers 196K 33.2G 22K /usersusers@today 0 - 22K -users/user1 18K 33.2G 18K /users/user1users/user1@today 0 - 18K -users/user2 18K 33.2G 18K /users/user2users/user2@today 0 - 18K -users/user3 18K 33.2G 18K /users/user3users/user3@today 0 - 18K -

You can use the zfs send R command to replicate the users dataset and its descendents and send thereplicated stream to another pool, users2.

# zfs create users2 mirror c0t1d0 c1t1d0# zfs receive -F -d users2 < /snaps/users-R# zfs listNAME USED AVAIL REFER MOUNTPOINTusers 224K 33.2G 22K /usersusers@today 0 - 22K -users/user1 33K 33.2G 18K /users/user1users/user1@today 15K - 18K -users/user2 18K 33.2G 18K /users/user2users/user2@today 0 - 18K -users/user3 18K 33.2G 18K /users/user3users/user3@today 0 - 18K -users2 188K 16.5G 22K /users2users2@today 0 - 22K -users2/user1 18K 16.5G 18K /users2/user1users2/user1@today 0 - 18K -users2/user2 18K 16.5G 18K /users2/user2users2/user2@today 0 - 18K -users2/user3 18K 16.5G 18K /users2/user3users2/user3@today 0 - 18K -

113


Remote Replication of ZFS Data

You can use the zfs send and zfs recv commands to remotely copy a snapshot stream representation fromone system to another system. For example:

# zfs send tank/cindy@today | ssh newsys zfs recv sandbox/restfs@today

This command saves the tank/cindy@today snapshot data and restores it into the sandbox/restfs file system and also creates a restfs@today snapshot on the newsys system. In thisexample, the user has been configured to use ssh on the remote system.

114

Chapter 7

Using ACLs to Protect ZFS Files

This chapter provides information about using access control lists (ACLs) to protect your ZFS files byproviding more granular permissions than the standard UNIX permissions.


• Section 7.1

• Section 7.2

• Section 7.3

• Section 7.4

7.1 The NFSv4 ACL Model

Older versions of Solaris supported an ACL implementation that was primarily based on the POSIX-draftACL specification. The POSIX-draft based ACLs are used to protect UFS files and are translated byversions of NFS prior to NFSv4.

With the introduction of NFSv4, a new ACL model fully supports the interoperability that NFSv4 offers be-tween UNIX and non-UNIX clients. The new ACL implementation, as defined in the NFSv4 specification,provides much richer semantics that are based on NT-style ACLs.

The main differences of the new ACL model are as follows:

• Based on the NFSv4 specification and similar to NT-style ACLs.

• Provide much more granular set of access privileges. For more information, see Table 7.2.

• Set and displayed with the chmod and ls commands rather than the setfacl and getfacl commands.

• Provide richer inheritance semantics for designating how access privileges are applied from directory tosubdirectories, and so on. For more information, see Section 7.1.

115

7. USING ACLS TO PROTECT ZFS FILES

Both ACL models provide more fine-grained access control than is available with the standard filepermissions. Much like POSIX-draft ACLs, the new ACLs are composed of multiple Access ControlEntries (ACEs).

POSIX-draft style ACLs use a single entry to define what permissions are allowed and what permissionsare denied. The new ACL model has two types of ACEs that affect access checking: ALLOW and DENY.As such, you cannot infer from any single ACE that defines a set of permissions whether or not thepermissions that weren’t defined in that ACE are allowed or denied.

Translation between NFSv4-style ACLs and POSIX-draft ACLs is as follows:

• If you use any ACL-aware utility, such as the cp, mv, tar, cpio, or rcp commands, to transfer UFS fileswith ACLs to a ZFS file system, the POSIX-draft ACLs are translated into the equivalent NFSv4-styleACLs.

• Some NFSv4-style ACLs are translated to POSIX-draft ACLs. You see a message similar to the followingif an NFSv4–style ACL isn’t translated to a POSIX-draft ACL:

# cp -p filea /var/tmpcp: failed to set acl entries on /var/tmp/filea

• If you create a UFS tar or cpio archive with the preserve ACL option (tar -p or cpio -P) on a systemthat runs a current Solaris release, you will lose the ACLs when the archive is extracted on a system thatruns a previous Solaris release.

All of the files are extracted with the correct file modes, but the ACL entries are ignored.

• You can use the ufsrestore command to restore data into a ZFS file system, but the ACLs will be lost.

• If you attempt to set an NFSv4-style ACL on a UFS file, you see a message similar to the following:

chmod: ERROR: ACL type’s are different

• If you attempt to set a POSIX-style ACL on a ZFS file, you will see messages similar to the following:

# getfacl fileaFile system doesn’t support aclent_t style ACL’s.See acl(5) for more information on Solaris ACL support.

For information about other limitations with ACLs and backup products, see Section 6.3.

Syntax Descriptions for Setting ACLs

Two basic ACL formats are provided as follows:

Syntax for Setting Trivial ACLs

chmod [options] A[index]{+|=}owner@|group@|everyone@:access-permissions/...[:inheritance-flags]:deny | allow file

chmod [options] A-owner@, group@, everyone@:access-permissions/...[:inheritance-flags]:deny | allow file ...

chmod [options] A[index]- file

116

7.1. The NFSv4 ACL Model

Syntax for Setting Non-Trivial ACLs

chmod [options] A[index]{+|=}user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file

chmod [options] A-user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file ...

chmod [options] A[index]- file

owner@, group@, everyone@Identifies the ACL-entry-type for trivial ACL syntax. For a description of ACL-entry-types, seeTable 7.1.

user or group:ACL-entry-ID=username or groupnameIdentifies the ACL-entry-type for explicit ACL syntax. The user and group ACL-entry-type mustalso contain the ACL-entry-ID, username or groupname. For a description of ACL-entry-types, seeTable 7.1.

access-permissions/.../Identifies the access permissions that are granted or denied. For a description of ACL accessprivileges, see Table 7.2.

inheritance-flagsIdentifies an optional list of ACL inheritance flags. For a description of the ACL inheritance flags,see Table 7.3.

deny | allowIdentifies whether the access permissions are granted or denied.

In the following example, the ACL-entry-ID value is not relevant:

group@:write_data/append_data/execute:deny

The following example includes an ACL-entry-ID because a specific user (ACL-entry-type) is included inthe ACL.

0:user:gozer:list_directory/read_data/execute:allow

When an ACL entry is displayed, it looks similar to the following:

2:group@:write_data/append_data/execute:deny

The 2 or the index-ID designation in this example identifies the ACL entry in the larger ACL, which mighthave multiple entries for owner, specific UIDs, group, and everyone. You can specify the index-ID with thechmod command to identify which part of the ACL you want to modify. For example, you can identifyindex ID 3 as A3 to the chmod command, similar to the following:

chmod A3=user:venkman:read_acl:allow filename

ACL entry types, which are the ACL representations of owner, group, and other, are described in thefollowing table.

117


Table 7.1: ACL Entry Types

ACL Entry Type Descriptionowner@ Specifies the access granted to the owner of the object.group@ Specifies the access granted to the owning group of the object.

everyone@Specifies the access granted to any user or group that does not match anyother ACL entry.

user

With a user name, specifies the access granted to an additional user of theobject. Must include the ACL-entry-ID, which contains a username oruserID. If the value is not a valid numeric UID or username, the ACLentry type is invalid.

group

With a group name, specifies the access granted to an additional group ofthe object. Must include the ACL-entry-ID, which contains a groupnameor groupID. If the value is not a valid numeric GID or groupname, theACL entry type is invalid.

ACL access privileges are described in the following table.

Table 7.2: ACL Access Privileges

Access Privilege Compact AccessPrivilege Description

add_file w Permission to add a new file to a directory.add_subdirectory p On a directory, permission to create a subdirectory.append_data p Placeholder. Not currently implemented.delete d Permission to delete a file.delete_child D Permission to delete a file or directory within a directory.

execute xPermission to execute a file or search the contents of adirectory.

list_directory r Permission to list the contents of a directory.read_acl c Permission to read the ACL (ls).

read_attributes a

Permission to read basic attributes (non-ACLs) of a file.Think of basic attributes as the stat level attributes.Allowing this access mask bit means the entity can executels(1) and stat(2).

read_data r Permission to read the contents of the file.

read_xattr RPermission to read the extended attributes of a file orperform a lookup in the file’s extended attributes directory.

synchronize s Placeholder. Not currently implemented.

write_xattr W

Permission to create extended attributes or write to theextended attributes directory.Granting this permission to a user means that the user cancreate an extended attribute directory for a file. Theattribute file’s permissions control the user’s access to theattribute.

write_data w Permission to modify or replace the contents of a file.

118

7.1. The NFSv4 ACL Model


Access Privilege Compact AccessPrivilege Description

write_attributes APermission to change the times associated with a file ordirectory to an arbitrary value.

write_acl CPermission to write the ACL or the ability to modify theACL by using the chmod command.

write_owner o

Permission to change the file’s owner or group. Or, theability to execute the chown or chgrp commands on thefile.Permission to take ownership of a file or permission tochange the group ownership of the file to a group of whichthe user is a member. If you want to change the file orgroup ownership to an arbitrary user or group, then thePRIV_FILE_CHOWN privilege is required.

ACL Inheritance

The purpose of using ACL inheritance is so that a newly created file or directory can inherit the ACLsthey are intended to inherit, but without disregarding the existing permission bits on the parent directory.

By default, ACLs are not propagated. If you set an non-trivial ACL on a directory, it is not inherited to anysubsequent directory. You must specify the inheritance of an ACL on a file or directory.

The optional inheritance flags are described in the following table.

Table 7.3: ACL Inheritance Flags

Inheritance FlagCompactInheritanceFlag

Description

file_inherit fOnly inherit the ACL from the parent directory to thedirectory’s files.

dir_inherit dOnly inherit the ACL from the parent directory to thedirectory’s subdirectories.

inherit_only i

Inherit the ACL from the parent directory but appliesonly to newly created files or subdirectories and not thedirectory itself. This flag requires thefile_inherit flag, the dir_inherit flag, orboth, to indicate what to inherit.

no_propagate n

Only inherit the ACL from the parent directory to thefirst-level contents of the directory, not thesecond-level or subsequent contents. This flag requiresthe file_inherit flag, the dir_inherit flag,or both, to indicate what to inherit.

119


In addition, you can set a default ACL inheritance policy on the file system that is more strict or less strictby using the aclinherit file system property. For more information, see the next section.

ACL Property Modes

The ZFS file system includes two property modes related to ACLs:

• aclinherit – This property determines the behavior of ACL inheritance. Values include the follow-ing:

– discard – For new objects, no ACL entries are inherited when a file or directory is created. TheACL on the file or directory is equal to the permission mode of the file or directory.

– noallow – For new objects, only inheritable ACL entries that have an access type of deny areinherited.

– secure – For new objects, the write_owner and write_acl permissions are removed whenan ACL entry is inherited.

– passthrough – For new objects, the inheritable ACL entries are inherited with no changes madeto them. This mode, in effect, disables secure mode.

The default mode for the aclinherit is secure.

• aclmode – This property modifies ACL behavior whenever a file or directory’s mode is modified bythe chmod command or when a file is initially created. Values include the following:

– discard – All ACL entries are removed except for the entries needed to define the mode of the fileor directory.

– groupmask – User or group ACL permissions are reduced so that they are no greater than the grouppermission bits, unless it is a user entry that has the same UID as the owner of the file or directory.Then, the ACL permissions are reduced so that they are no greater than owner permission bits.

– passthrough – For new objects, the inheritable ACL entries are inherited with no changes madeto the them.

The default mode for the aclmode property is groupmask.

7.2 Setting ACLs on ZFS Files

As implemented with ZFS, ACLs are composed of an array of ACL entries. ZFS provides a pure ACLmodel, where all files have an ACL. Typically, the ACL is trivial in that it only represents the traditionalUNIX owner/group/other entries.

ZFS files still have permission bits and a mode, but these values are more of a cache of what the ACLrepresents. As such, if you change the permissions of the file, the file’s ACL is updated accordingly. Inaddition, if you remove an non-trivial ACL that granted a user access to a file or directory, that user couldstill have access to the file or directory because of the file or directory’s permission bits that grant accessto group or everyone. All access control decisions are governed by the permissions represented in a file ordirectory’s ACL.

The primary rules of ACL access on a ZFS file are as follows:

120

7.2. Setting ACLs on ZFS Files

• ZFS processes ACL entries in the order they are listed in the ACL, from the top down.

• Only ACL entries that have a “who” that matches the requester of the access are processed.

• Once an allow permission has been granted, it cannot be denied by a subsequent ACL deny entry in thesame ACL permission set.

• The owner of the file is granted the write_acl permission unconditionally, even if the permission isexplicitly denied. Otherwise, any permission left unspecified is denied.

In the cases of deny permissions or when an access permission is missing, the privilege subsystemdetermines what access request is granted for the owner of the file or for superuser. This mechanismprevents owners of files from getting locked out of their files and enables superuser to modify files forrecovery purposes.

If you set an non-trivial ACL on a directory, the ACL is not automatically inherited by the directory’schildren. If you set an non-trivial ACL and you want it inherited to the directory’s children, you have touse the ACL inheritance flags. For more information, see Table 7.3 and Section 7.3.

When you create a new file and depending on the umask value, a default trivial ACL, similar to thefollowing, is applied:

$ ls -v file.1-r--r--r-- 1 root root 206663 May 4 11:52 file.1

0:owner@:write_data/append_data/execute:deny1:owner@:read_data/write_xattr/write_attributes/write_acl/write_owner

:allow2:group@:write_data/append_data/execute:deny3:group@:read_data:allow4:everyone@:write_data/append_data/write_xattr/execute/write_attributes

/write_acl/write_owner:deny5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize

:allow

Note that each user category (owner@, group@, everyone@) in this example has two ACL entries.One entry for deny permissions, and one entry is for allow permissions.

A description of this file ACL is as follows:

0:owner@The owner is denied execute permissions to the file (execute:deny).

1:owner@The owner can read and modify the contents of the file (read_data/write_data/append_data). The owner can also modify the file’s attributes such as timestamps, extended attributes,and ACLs (write_xattr/write_attributes /write_acl). In addition, the owner canmodify the ownership of the file (write_owner:allow)

2:group@The group is denied modify and execute permissions to the file (write_data/append_data/execute:deny).

3:group@The group is granted read permissions to the file (read_data:allow).

121


4:everyone@Everyone who is not user or group is denied permission to execute or modify the contents of thefile and to modify any attributes of the file (write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:deny).

5:everyone@Everyone who is not user or group is granted read permissions to the file, and the file’s attributes (read_data/read_xattr/read_attributes/read_acl/synchronize:allow). The synchronize access permission is not currently implemented.

When a new directory is created and depending on the umask value, a default directory ACL is similar tothe following:

$ ls -dv dir.1drwxr-xr-x 2 root root 2 Feb 23 10:37 dir.1

0:owner@::deny1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory

/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow

2:group@:add_file/write_data/add_subdirectory/append_data:deny3:group@:list_directory/read_data/execute:allow4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr

/write_attributes/write_acl/write_owner:deny5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes

/read_acl/synchronize:allow

A description of this directory ACL is as follows:

0:owner@The owner deny list is empty for the directory (::deny).

1:owner@The owner can read and modify the directory contents (list_directory/read_data/add_file/write_data/add_subdirectory/append_data), search the contents (execute), and modify the file’s attributes such as timestamps, extended attributes, and ACLs (write_xattr/write_attributes/write_acl). In addition, the owner can modify the ownershipof the directory (write_owner:allow).

2:group@The group cannot add to or modify the directory contents (add_file/write_data/add_subdirectory/append_data:deny).

3:group@The group can list and read the directory contents. In addition, the group has execute permission tosearch the directory contents (list_directory/read_data/execute:allow).

4:everyone@Everyone who is not user or group is denied permission to add to or modify the contents of the di-rectory (add_file/write_data/add_subdirectory/append_data). In addition, thepermission to modify any attributes of the directory is denied. (write_xattr /write_attributes/write_acl/write_owner:deny).

122

7.3. Setting and Displaying ACLs on ZFS Files in Verbose Format

5:everyone@Everyone who is not user or group is granted read and execute permissions to the directory contentsand the directory’s attributes (list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow). The synchronize access per-mission is not currently implemented.

7.3 Setting and Displaying ACLs on ZFS Files in Verbose Format

You can use the chmod command to modify ACLs on ZFS files. The following chmod syntax formodifying ACLs uses acl-specification to identify the format of the ACL. For a description of acl-specification, see Section 7.1.

• Adding ACL entries

– Adding an ACL entry for a user% chmod A+acl-specification filename

– Adding an ACL entry by index-ID

% chmod Aindex-ID+acl-specification filename

This syntax inserts the new ACL entry at the specified index-ID location.

• Replacing an ACL entry% chmod Aindex-ID=acl-specification filename

% chmod A=acl-specification filename

• Removing ACL entries

– Removing an ACL entry by index-ID

% chmod Aindex-ID- filename

– Removing an ACL entry by user% chmod A-acl-specification filename

– Removing all non-trivial ACEs from a file% chmod A- filename

Verbose ACL information is displayed by using the ls -v command. For example:# ls -v file.1-rw-r--r-- 1 root root 206663 Feb 16 11:00 file.1

0:owner@:execute:deny1:owner@:read_data/write_data/append_data/write_xattr/write_attributes

/write_acl/write_owner:allow2:group@:write_data/append_data/execute:deny3:group@:read_data:allow4:everyone@:write_data/append_data/write_xattr/execute/write_attributes


:allow

123


For information about using the compact ACL format, see Section 7.4.

Example 7.1: Modifying Trivial ACLs on ZFS Files

This section provides examples of setting and displaying trivial ACLs.In the following example, a trivial ACL exists on file.1:

# ls -v file.1-rw-r--r-- 1 root root 206663 Feb 16 11:00 file.1




:allow

In the following example, write_data permissions are granted for group@.

# chmod A2=group@:append_data/execute:deny file.1# chmod A3=group@:read_data/write_data:allow file.1# ls -v file.1-rw-rw-r-- 1 root root 206663 May 3 16:36 file.1


/write_acl/write_owner:allow2:group@:append_data/execute:deny3:group@:read_data/write_data:allow4:everyone@:write_data/append_data/write_xattr/execute/write_attributes


:allow

In the following example, permissions on file.1 are set back to 644.

# chmod 644 file.1# ls -v file.1-rw-r--r-- 1 root root 206663 May 3 16:36 file.1




:allow

Example 7.2: Setting Non-Trivial ACLs on ZFS Files

This section provides examples of setting and displaying non-trivial ACLs.In the following example, read_data/execute permissions are added for the user gozer on thetest.dir directory.

# chmod A+user:gozer:read_data/execute:allow test.dir# ls -dv test.dir

124


drwxr-xr-x+ 2 root root 2 Feb 16 11:12 test.dir0:user:gozer:list_directory/read_data/execute:allow1:owner@::deny2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory





In the following example, read_data/execute permissions are removed for user gozer.# chmod A0- test.dir# ls -dv test.dirdrwxr-xr-x 2 root root 2 Feb 16 11:12 test.dir






Example 7.3: ACL Interaction With Permissions on ZFS Files

These ACL examples illustrate the interaction between setting ACLs and then changing the file ordirectory’s permission bits.In the following example, a trivial ACL exists on file.2:# ls -v file.2-rw-r--r-- 1 root root 2703 Feb 16 11:16 file.2




:allow

In the following example, ACL allow permissions are removed from everyone@.# chmod A5- file.2# ls -v file.2-rw-r----- 1 root root 2703 Feb 16 11:16 file.2



/write_acl/write_owner:deny

125


In this output, the file’s permission bits are reset from 655 to 650. Read permissions for everyone@ havebeen effectively removed from the file’s permissions bits when the ACL allow permissions are removedfor [email protected] the following example, the existing ACL is replaced with read_data/write_data permissionsfor everyone@.

# chmod A=everyone@:read_data/write_data:allow file.3# ls -v file.3-rw-rw-rw-+ 1 root root 1532 Feb 16 11:18 file.3

0:everyone@:read_data/write_data:allow

In this output, the chmod syntax effectively replaces the existing ACL with read_data/write_data:allow permissions to read/write permissions for owner, group, and everyone@. In this model,everyone@ specifies access to any user or group. Since no owner@ or group@ ACL entry exists tooverride the permissions for owner and group, the permission bits are set to 666.In the following example, the existing ACL is replaced with read permissions for user gozer.

# chmod A=user:gozer:read_data:allow file.3# ls -v file.3----------+ 1 root root 1532 Feb 16 11:18 file.3

0:user:gozer:read_data:allow

In this output, the file permissions are computed to be 000 because no ACL entries exist for owner@,group@, or everyone@, which represent the traditional permission components of a file. The owner ofthe file can resolve this problem by resetting the permissions (and the ACL) as follows:

# chmod 655 file.3# ls -v file.3-rw-r-xr-x+ 1 root root 0 Mar 8 13:24 file.3

0:user:gozer::deny1:user:gozer:read_data:allow2:owner@:execute:deny3:owner@:read_data/write_data/append_data/write_xattr/write_attributes

/write_acl/write_owner:allow4:group@:write_data/append_data:deny5:group@:read_data/execute:allow6:everyone@:write_data/append_data/write_xattr/write_attributes

/write_acl/write_owner:deny7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl

/synchronize:allow

Example 7.4: Restoring Trivial ACLs on ZFS Files

You can use the chmod command to remove all non-trivial ACLs on a file or directory.In the following example, 2 non-trivial ACEs exist on test5.dir.

# ls -dv test5.dirdrwxr-xr-x+ 2 root root 2 Feb 16 11:23 test5.dir

0:user:gozer:read_data:file_inherit:deny1:user:lp:read_data:file_inherit:deny2:owner@::deny3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory



126




In the following example, the non-trivial ACLs for users gozer and lp are removed. The remainingACL contains the six default values for owner@, group@, and everyone@.

# chmod A- test5.dir# ls -dv test5.dirdrwxr-xr-x 2 root root 2 Feb 16 11:23 test5.dir






Setting ACL Inheritance on ZFS Files in Verbose Format

You can determine how ACLs are inherited or not inherited on files and directories. By default, ACLs arenot propagated. If you set an non-trivial ACL on a directory, the ACL is not inherited by any subsequentdirectory. You must specify the inheritance of an ACL on a file or directory.

In addition, two ACL properties are provided that can be set globally on file systems: aclinherit andaclmode. By default, aclinherit is set to secure and aclmode is set to groupmask.


Example 7.5: Default ACL Inheritance

By default, ACLs are not propagated through a directory structure.In the following example, an non-trivial ACE of read_data/write_data/execute is applied foruser gozer on test.dir.

# chmod A+user:gozer:read_data/write_data/execute:allow test.dir# ls -dv test.dirdrwxr-xr-x+ 2 root root 2 Feb 17 14:45 test.dir

0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow1:owner@::deny2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory





If a test.dir subdirectory is created, the ACE for user gozer is not propagated. User gozer wouldonly have access to sub.dir if the permissions on sub.dir granted him access as the file owner, groupmember, or everyone@.

127


# mkdir test.dir/sub.dir# ls -dv test.dir/sub.dirdrwxr-xr-x 2 root root 2 Feb 17 14:46 test.dir/sub.dir






Example 7.6: Granting ACL Inheritance on Files and Directories

This series of examples identify the file and directory ACEs that are applied when the file_inheritflag is set.In the following example, read_data/write_data permissions are added for files in the test.dirdirectory for user gozer so that he has read access on any newly created files.# chmod A+user:gozer:read_data/write_data:file_inherit:allow test2.dir# ls -dv test2.dirdrwxr-xr-x+ 2 root root 2 Feb 17 14:47 test2.dir

0:user:gozer:read_data/write_data:file_inherit:allow1:owner@::deny2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory





In the following example, user gozer’s permissions are applied on the newly created test2.dir/file.2 file. The ACL inheritance granted, read_data:file_inherit:allow, means user gozer canread the contents of any newly created file.# touch test2.dir/file.2# ls -v test2.dir/file.2-rw-r--r--+ 1 root root 0 Feb 17 14:49 test2.dir/file.2

0:user:gozer:write_data:deny1:user:gozer:read_data/write_data:allow2:owner@:execute:deny3:owner@:read_data/write_data/append_data/write_xattr/write_attributes+



:allow

Because the aclmode for this file is set to the default mode, groupmask, user gozer does not havewrite_data permission on file.2 because the group permission of the file does not allow it.

128


Note the inherit_only permission, which is applied when the file_inherit or dir_inheritflags are set, is used to propagate the ACL through the directory structure. As such, user gozer is onlygranted or denied permission from everyone@ permissions unless he is the owner of the file or a memberof the owning group of the file. For example:

# mkdir test2.dir/subdir.2# ls -dv test2.dir/subdir.2drwxr-xr-x+ 2 root root 2 Feb 17 14:50 test2.dir/subdir.2

0:user:gozer:list_directory/read_data/add_file/write_data:file_inherit/inherit_only:allow






The following series of examples identify the file and directory ACLs that are applied when both thefile_inherit and dir_inherit flags are set.In the following example, user gozer is granted read, write, and execute permissions that are inheritedfor newly created files and directories.

# chmod A+user:gozer:read_data/write_data/execute:file_inherit/dir_inherit:allow test3.dir# ls -dv test3.dirdrwxr-xr-x+ 2 root root 2 Feb 17 14:51 test3.dir

0:user:gozer:list_directory/read_data/add_file/write_data/execute:file_inherit/dir_inherit:allow






# touch test3.dir/file.3# ls -v test3.dir/file.3-rw-r--r--+ 1 root root 0 Feb 17 14:53 test3.dir/file.3

0:user:gozer:write_data/execute:deny1:user:gozer:read_data/write_data/execute:allow2:owner@:execute:deny3:owner@:read_data/write_data/append_data/write_xattr/write_attributes



:allow

# mkdir test3.dir/subdir.1# ls -dv test3.dir/subdir.1

129


drwxr-xr-x+ 2 root root 2 May 4 15:00 test3.dir/subdir.10:user:gozer:list_directory/read_data/add_file/write_data/execute

:file_inherit/dir_inherit/inherit_only:allow1:user:gozer:add_file/write_data:deny2:user:gozer:list_directory/read_data/add_file/write_data/execute:allow3:owner@::deny4:owner@:list_directory/read_data/add_file/write_data/add_subdirectory





In these examples, because the permission bits of the parent directory for group@ and everyone@ denywrite and execute permissions, user gozer is denied write and execute permissions. The default aclmodeproperty is secure, which means that write_data and execute permissions are not inherited.In the following example, user gozer is granted read, write, and execute permissions that are inheritedfor newly created files, but are not propagated to subsequent contents of the directory.

# chmod A+user:gozer:read_data/write_data/execute:file_inherit/no_propagate:allow test4.dir# ls -dv test4.dirdrwxr-xr-x+ 2 root root 2 Feb 17 14:54 test4.dir

0:user:gozer:list_directory/read_data/add_file/write_data/execute:file_inherit/no_propagate:allow






As the following example illustrates, when a new subdirectory is created, user gozer’s read_data/write_data/execute permission for files are not propagated to the new sub4.dir directory.

# mkdir test4.dir/sub4.dir# ls -dv test4.dir/sub4.dirdrwxr-xr-x 2 root root 2 Feb 17 14:57 test4.dir/sub4.dir






As the following example illustrates, gozer’s read_data/write_data/execute permission forfiles is propagated to the newly created file.

# touch test4.dir/file.4# ls -v test4.dir/file.4

130


-rw-r--r--+ 1 root root 0 May 4 15:02 test4.dir/file.40:user:gozer:write_data/execute:deny1:user:gozer:read_data/write_data/execute:allow2:owner@:execute:deny3:owner@:read_data/write_data/append_data/write_xattr/write_attributes



:allow

Example 7.7: ACL Inheritance With ACL Mode Set to Passthrough

If the aclmode property on the tank/cindy file system is set to passthrough, then user gozerwould inherit the ACL applied on test4.dir for the newly created file.4 as follows:

# zfs set aclmode=passthrough tank/cindy# touch test4.dir/file.4# ls -v test4.dir/file.4-rw-r--r--+ 1 root root 0 Feb 17 15:15 test4.dir/file.4

0:user:gozer:read_data/write_data/execute:allow1:owner@:execute:deny2:owner@:read_data/write_data/append_data/write_xattr/write_attributes



:allow

This output illustrates that the read_data/write_data/execute:allow:file_inherit/dir_inherit ACL that was set on the parent directory, test4.dir, is passed through to user gozer.

Example 7.8: ACL Inheritance With ACL Mode Set to Discard

If the aclmode property on a file system is set to discard, then ACLs can potentially be discarded whenthe permission bits on a directory change. For example:

# zfs set aclmode=discard tank/cindy# chmod A+user:gozer:read_data/write_data/execute:dir_inherit:allow test5.dir# ls -dv test5.dirdrwxr-xr-x+ 2 root root 2 Feb 16 11:23 test5.dir

0:user:gozer:list_directory/read_data/add_file/write_data/execute:dir_inherit:allow





131



If, at a later time, you decide to tighten the permission bits on a directory, the non-trivial ACL is discarded.For example:

# chmod 744 test5.dir# ls -dv test5.dirdrwxr--r-- 2 root root 2 Feb 16 11:23 test5.dir



2:group@:add_file/write_data/add_subdirectory/append_data/execute:deny3:group@:list_directory/read_data:allow4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr

/execute/write_attributes/write_acl/write_owner:deny5:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl

/synchronize:allow

Example 7.9: ACL Inheritance With ACL Inherit Mode Set to Noallow

In the following example, two non-trivial ACLs with file inheritance are set. One ACL allows read_datapermission, and one ACL denies read_data permission. This example also illustrates how you canspecify two ACEs in the same chmod command.

# zfs set aclinherit=nonallow tank/cindy# chmod A+user:gozer:read_data:file_inherit:deny,user:lp:read_data:file_inherit:allow test6.dir# ls -dv test6.dirdrwxr-xr-x+ 2 root root 2 May 4 14:23 test6.dir

0:user:gozer:read_data:file_inherit:deny1:user:lp:read_data:file_inherit:allow2:owner@::deny3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory





As the following example shows, when a new file is created, the ACL that allows read_data permissionis discarded.

# touch test6.dir/file.6# ls -v test6.dir/file.6-rw-r--r--+ 1 root root 0 May 4 13:44 test6.dir/file.6

0:user:gozer:read_data:deny1:owner@:execute:deny2:owner@:read_data/write_data/append_data/write_xattr/write_attributes



:allow

132

7.4. Setting and Displaying ACLs on ZFS Files in Compact Format

7.4 Setting and Displaying ACLs on ZFS Files in Compact Format

You can set and display permissions on ZFS files in a compact format that uses 14 unique letters torepresent the permissions. The letters that represent the compact permissions are listed in Table 7.2 andTable 7.3.

You can display compact ACL listings for files and directories by using the ls -V command. For example:

# ls -V file.1-rw-r--r-- 1 root root 206663 Feb 16 11:00 file.1

owner@:--x-----------:------:denyowner@:rw-p---A-W-Co-:------:allowgroup@:-wxp----------:------:denygroup@:r-------------:------:allow

everyone@:-wxp---A-W-Co-:------:denyeveryone@:r-----a-R-c--s:------:allow

The compact ACL output is described as follows:

owner@The owner is denied execute permissions to the file (x=execute).

owner@The owner can read and modify the contents of the file (rw=read_data/write_data), (p=append_data). The owner can also modify the file’s attributes such as timestamps, extended at-tributes, and ACLs (A=write_xattr, W=write_attributes, C=write_acl). In addition,the owner can modify the ownership of the file (O=write_owner).

group@The group is denied modify and execute permissions to the file (rw=read_data/write_data,p=append_data, and x=execute).

group@The group is granted read permissions to the file (r=read_data).

everyone@Everyone who is not user or group is denied permission to execute or modify the contents of thefile, and to modify any attributes of the file (w=write_data, x=execute, p=append_data,A=write_xattr, W=write_attributes, C=write_acl, and o=write_owner).

everyone@Everyone who is not user or group is granted read permissions to the file and the file’s attributes(r=read_data,a=append_data,R=read_xattr,c=read_acl, and s=synchronize).The synchronize access permission is not currently implemented.

Compact ACL format provides the following advantages over verbose ACL format:

• Permissions can be specified as positional arguments to the chmod command.

• The hyphen (-) characters, which identify no permissions, can be removed and only the required lettersneed to be specified.

133


• Both permissions and inheritance flags are set in the same fashion.

For information about using the verbose ACL format, see Section 7.3.

Example 7.10: Setting and Displaying ACLs in Compact Format

In the following example, a trivial ACL exists on file.1:

# ls -V file.1-rw-r-xr-x 1 root root 206663 Feb 16 11:00 file.1

owner@:--x-----------:------:denyowner@:rw-p---A-W-Co-:------:allowgroup@:-w-p----------:------:denygroup@:r-x-----------:------:allow

everyone@:-w-p---A-W-Co-:------:denyeveryone@:r-x---a-R-c--s:------:allow

In this example, read_data/execute permissions are added for the user gozer on file.1.

# chmod A+user:gozer:rx:allow file.1# ls -V file.1-rw-r-xr-x+ 1 root root 206663 Feb 16 11:00 file.1

user:gozer:r-x-----------:------:allowowner@:--x-----------:------:denyowner@:rw-p---A-W-Co-:------:allowgroup@:-w-p----------:------:denygroup@:r-x-----------:------:allow


Another way to add the same permissions for user gozer is to insert a new ACL at a specific position, 4,for example. As such, the existing ACLs at positions 4–6 are pushed down. For example:

# chmod A4+user:gozer:rx:allow file.1# ls -V file.1-rw-r-xr-x+ 1 root root 206663 Feb 16 11:00 file.1

owner@:--x-----------:------:denyowner@:rw-p---A-W-Co-:------:allowgroup@:-w-p----------:------:denygroup@:r-x-----------:------:allow

user:gozer:r-x-----------:------:alloweveryone@:-w-p---A-W-Co-:------:denyeveryone@:r-x---a-R-c--s:------:allow

In the following example, user gozer is granted read, write, and execute permissions that are inheritedfor newly created files and directories by using the compact ACL format.

# chmod A+user:gozer:rwx:fd:allow dir.2# ls -dV dir.2drwxr-xr-x+ 2 root root 2 Aug 28 13:21 dir.2

user:gozer:rwx-----------:fd----:allowowner@:--------------:------:denyowner@:rwxp---A-W-Co-:------:allowgroup@:-w-p----------:------:denygroup@:r-x-----------:------:allow


You can also cut and paste permissions and inheritance flags from the ls -V output into the compactchmod format. For example, to duplicate the permissions and inheritance flags on dir.1 for user gozer

134

7.4. Setting and Displaying ACLs on ZFS Files in Compact Format

to user cindys, copy and paste the permission and inheritance flags (rwx-----------:f-----:allow) into your chmod command. For example:

# chmod A+user:cindys:rwx-----------:fd----:allow dir.2# ls -dv dir.2drwxr-xr-x+ 2 root root 2 Aug 28 14:12 dir.2

user:cindys:rwx-----------:fd----:allowuser:gozer:rwx-----------:fd----:allow

owner@:--------------:------:denyowner@:rwxp---A-W-Co-:------:allowgroup@:-w-p----------:------:denygroup@:r-x-----------:------:allow


135

Chapter 8

ZFS Delegated Administration

This chapter describes how to use delegated administration to allow non-privileged users to perform ZFSadministration tasks.

• Section 8.1

• Section 8.2

• Section 8.3

• Section 8.3

• Section 8.3

8.1 Overview of ZFS Delegated Administration

This feature enables you to distribute fine-grained permissions to specific users, groups, or everyone. Twostyles of delegated permissions are supported:

• Individual permissions can be explicitly specified such a create, destroy, mount and snapshot, and so on.

• Groups of permissions called permission sets can be defined. A permission set can later be updated andall of the consumers of the set automatically pick up the change. Permission sets begin with the @ letterand are limited to 64 characters in length. After the @ character, the remaining characters in the set namehave the same restrictions as normal ZFS file system names.

ZFS delegated administration provides similar features to the RBAC security. However, ZFS delegatedadministration provides the following advantages for administering ZFS storage pools and file systems:

• Permissions follow the ZFS storage pool when the pool is migrated.

• Provides dynamic inheritance and you can control how the permissions propagate through the filesystems.

• Can be configured so that only the creator of a file system can destroy the file systems they create.

137

8. ZFS DELEGATED ADMINISTRATION

• Permissions can be distributed to specific file systems. Newly created file systems can automaticallypick up permissions.

• Provides simple NFS administration. For example, a user with explicit permissions could create asnapshot over NFS in the appropriate .zfs/snapshot directory.

Consider using delegated administration for distributing ZFS tasks. For information about using RBAC tomanage general Solaris administration tasks, see Part III, Roles, Rights Profiles, and Privileges, in SystemAdministration Guide: Security Services.

Disabling ZFS Delegated Permissions

You can modify the ability to use delegated administration with the pool’s delegation property. Forexample:

# zpool get delegation usersNAME PROPERTY VALUE SOURCEusers delegation on default# zpool set delegation=off users# zpool get delegation usersNAME PROPERTY VALUE SOURCEusers delegation off local

By default, the delegation property is enabled.

8.2 Delegating ZFS Permissions

You can use the zfs allow command to grant permissions on ZFS datasets to non-root users in the followingways:

• Individual permissions can be granted to a user, group, or everyone.

• Groups of individual permissions can be granted as a permission set to a user, group, or everyone.

• Permissions can be granted either locally, which is to the current dataset only, or granted to all descendentsof the current dataset.

The following table describes the operations that can be delegated and any dependent permissions that arerequired to do the delegated operations.

Permission(Subcommand) Description Dependencies

allowThe ability to grant permissions thatyou have to another user.

Must also have the permission that isbeing allowed.

cloneThe ability to clone any of thedataset’s snapshots.

Must also have the create abilityand the mount ability in the originfile system.

createThe ability to create descendentdatasets.

Must also have the mount ability.

destroy The ability to destroy a dataset. Must also have the mount ability.

138

8.2. Delegating ZFS Permissions

Permission(Subcommand) Description Dependencies

mountThe ability to mount and unmount adataset and create and destroyvolume device links.

promoteThe ability to promote a clone to adataset.

Must also have the mount ability andpromote ability in the origin filesystem.

receiveThe ability to create descendent filesystem with the zfsreceivecommand.

Must also have the mount ability andthe create ability.

rename The ability to rename a dataset.Must also have the mount ability andthe create ability in the new parent.

rollback The ability to rollback a snapshot. Must also have the mount ability.

sendThe ability to send a snapshotstream.

shareThe ability to share and unshare adataset.

snapshotThe ability to take a snapshot of adataset.

In addition, you can delegate the following ZFS properties to non-root users:

• aclinherit

• aclmode

• atime

• canmount

• casesensitivity

• checksum

• compression

• copies

• exec

• devices

• mountpoint

• nbmand

• normalization

• quota

• readonly

• recordsize

139


• reservation

• setuid

• shareiscsi

• sharenfs

• sharesmb

• snapdir

• userprop

• utf8only

• version

• volsize

• vscan

• xattr

• zoned

Some of the properties listed above can only set at dataset creation time. For a description of theseproperties, see Section 5.2.

Syntax Descriptions for Delegating Permissions

The zfs allow syntax is as follows:

# zfs allow -[l d u g e c s] everyone|user|group[,,...] perm|@setname ,...] filesystem| volume

The following zfs allow syntax (in bold) identifies to whom the permissions are delegated:

zfs allow [-uge] | user | group | everyone [,...] filesystem | volume

Multiple entities can be specified as a comma-separated list. If none of the -uge options are specified,then the argument is interpreted preferentially as the keyword everyone, then as a user name, and lastly,as a group name. To specify a user or group named “everyone,” use the -u or -g options. To specify agroup with the same name as a user, use the -g option.

The following zfs allow syntax (in bold) identifies how permissions and permission sets are specified:

zfs allow [-s] ... perm | @setname [,...] filesystem | volume

Multiple permissions can be specified as a comma-separated list. Permission names are the same as ZFSsubcommands and properties. For more information, see the section above.

Permissions can be aggregated into permissions sets and are identified by the -s option. Permissionsets can be used by other zfs allow commands for the specified file system and its descendents. Sets areevaluated dynamically, so changes to a set are immediately updated. Permission sets follow the samenaming conventions as ZFS file systems, but the name must begin with an at sign (@), and can be no morethan 64 characters long.

The following zfs allow syntax (in bold) identifies how the permissions are delegated:

140

8.3. Using ZFS Delegated Administration

zfs allow [-ld] ... ... filesystem | volume

The -l option identifies if whether the permission is allowed for the specified dataset and not its descen-dents, unless the -d option is also specified. The -d option indicates that the permission is allowed forthe descendent datasets and not for this dataset, unless the -l option is also specified. If neither of the-ld options are specified, then the permissions are allowed for the file system or volume and all of itsdescendents.

Removing ZFS Delegated Permissions (zfs unallow)

You can remove previously granted permissions with the zfs unallow command.

For example, if you delegated create, destroy, mount, and snapshot permissions as follows:

# zfs allow cindys, create,destroy,mount,snapshot tank/cindys# zfs allow tank/cindys-------------------------------------------------------------Local+Descendent permissions on (tank/cindys)

user cindys create,destroy,mount,snapshot-------------------------------------------------------------

You would need to use syntax similar to the following to remove these permissions:

# zfs unallow cindys tank/cindys# zfs allow tank/cindys

8.3 Using ZFS Delegated Administration

This section provides examples of displaying and delegating permissions.

Displaying ZFS Delegated Permissions (Examples)

You can use the following command to display permissions:

# zfs allow dataset

The above command prints permissions that are set or allowed on this dataset. The output contains thefollowing components:

• Permissions sets

• Specific permissions or create time permissions

• Local

• Local and descendent

• Descendent only

141


Example 8.1: Displaying Simple Delegated Administration Permissions

The following example output indicates that user cindys has permission to create, destroy, mount,snapshot in the tank/cindys file system.

# zfs allow tank/cindys-------------------------------------------------------------Local+Descendent permissions on (tank/cindys)

user cindys create,destroy,mount,snapshot

Example 8.2: Displaying Complex Delegated Administration Permissions

The following example output indicates the following permissions on the pool and pool/fred filesystems.For the pool/fred file system:

• Two permission sets are defined:

– @eng (create, destroy, snapshot, mount, clone, promote, rename)

– @simple (create, mount)

• Create time permissions are set for the @eng permission set and the mountpoint property. Createtime means that after a dataset set is created, the @eng permission set and the mountpoint propertyare granted.

• User tom is granted the @eng permission set and the user joe is granted create, destroy, mountpermissions for local file systems.

• User fred is granted the @basic permission set and share and rename permissions for the local anddescendent file systems.

• User barney is granted the @basic permission set for descendent file systems only.

For the pool file system:

• The permission set @simple (create, destroy, mount) is defined.

• The group staff is granted the @simple permission set on the local file system.

$ zfs allow pool/fred------------------------------------------------------------------------------Permission sets on (pool/fred)

@eng create,destroy,snapshot,mount,clone,promote,rename@simple create,mount

Create time permissions on (pool/fred)@eng,mountpoint

Local permissions on (pool/fred)user tom @enguser joe create,destroy,mount

Local+Descendent permissions on (pool/fred)user fred @basic,share,rename

Descendent permissions on (pool/fred)user barney @basicgroup staff @basic

142


------------------------------------------------------------------------------Permission sets on (pool)

@simple create,destroy,mountLocal permissions on (pool)

group staff @simple------------------------------------------------------------------------------

Delegating ZFS Permissions (Examples)

Example 8.3: Delegating Permissions to an Individual User

When you provide create and mount permissions, you need to make sure that the user has permissions onthe underlying mount point.For example, to give marks create and mount permissions on tank, set the permissions first:# chmod A+user:marks:add_subdirectory:fd:allow /tank

Then, use the zfs allow to grant create, destroy, and mount permissions. For example:# zfs allow marks create,destroy,mount tank

This means that marks can create his own file systems in the tank file system. For example:# su marksmarks$ zfs create tank/marksmarks$ ^D# su lp$ zfs create tank/lpcannot create ’tank/lp’: permission denied

Example 8.4: Delegating Create and Destroy Permissions to a Group

The following example shows how to set up a file system so that anyone in the staff group can createand mount file systems in the tank file system, and also allows them to destroy their own file systems.However, staff group members cannot destroy anyone else’s file systems.# zfs allow staff create,mount tank# zfs allow -c create,destroy tank# zfs allow tank-------------------------------------------------------------Create time permissions on (tank)

create,destroyLocal+Descendent permissions on (tank)

group staff create,mount-------------------------------------------------------------# su cindyscindys% zfs create tank/cindyscindys% exit# su marksmarks% zfs create tank/marks/datamarks% exitcindys% zfs destroy tank/marks/datacannot destroy ’tank/mark’: permission denied

143


Example 8.5: Delegating Permissions at the Right File System Level

Make sure to grant users permission at the right file system level. User marks is granted create, destroy,and mount permissions for the local and descendent file systems. User marks is granted local permissionto snapshot the tank file system, but this does not allow him to snapshot his own file system.

# zfs allow -l marks snapshot tank# zfs allow tank-------------------------------------------------------------Local permissions on (tank)

user marks snapshotLocal+Descendent permissions on (tank)

user marks create,destroy,mount-------------------------------------------------------------# su marksmarks$ zfs snapshot tank/@snap1marks$ zfs snapshot tank/marks@snap1cannot create snapshot ’mark/marks@snap1’: permission denied

Use the zfs allow -d option to grant marks permission at the descendent level. For example:

# zfs unallow -l marks snapshot tank# zfs allow -d marks snapshot tank# zfs allow tank-------------------------------------------------------------Descendent permissions on (tank)

user marks snapshotLocal+Descendent permissions on (tank)

user marks create,destroy,mount-------------------------------------------------------------# su marks$ zfs snapshot tank@snap2cannot create snapshot ’sandbox@snap2’: permission denied$ zfs snapshot tank/marks@snappy

User marks can only create a snapshot below the tank level.

Example 8.6: Defining and Using Complex Delegated Permissions

You can grant specific permissions to users or groups. For example, the following zfs allow commandgrants specific permissions to the staff group. In addition, destroy and snapshot permissions are grantedafter tank file systems are created.

# zfs allow staff create,mount tank# zfs allow tank-------------------------------------------------------------Create time permissions on (tank)

destroy,snapshotLocal+Descendent permissions on (tank)

group staff create-------------------------------------------------------------

Because marks is a member of the staff group, he can create file systems in tank. In addition, usermarks can create a snapshot of tank/marks2 because he has specific permissions. For example:

# su marks$ zfs create tank/marks2$ zfs allow tank/marks2

144


-------------------------------------------------------------Local permissions on (tank/marks2)

user marks destroy,snapshot-------------------------------------------------------------Create time permissions on (tank)

destroy,snapshotLocal+Descendent permissions on (tank)

group staff createeveryone mount

-------------------------------------------------------------

But, he can’t create a snapshot in tank/marks because he doesn’t have specific permissions. See thelisting above. For example:

$ zfs snapshot tank/marks2@snap1$ zfs snapshot tank/marks@snapppcannot create snapshot ’tank/marks@snappp’: permission denied

You can create snapshot directories if you have create permission in your home directory, for example.This is helpful when your file system is NFS mounted. For example:

$ cd /tank/marks2$ ls$ cd .zfs$ lssnapshot$ cd snapshot$ ls -ltotal 3drwxr-xr-x 2 marks staff 2 Dec 15 13:53 snap1$ pwd/tank/marks2/.zfs/snapshot$ mkdir snap2$ zfs listNAME USED AVAIL REFER MOUNTPOINTtank 264K 33.2G 33.5K /tanktank/marks 24.5K 33.2G 24.5K /tank/markstank/marks2 46K 33.2G 24.5K /tank/marks2tank/marks2@snap1 21.5K - 24.5K -tank/marks2@snap2 0 - 24.5K -$ lssnap1 snap2$ rmdir snap2$ lssnap1

Example 8.7: Defining and Using a ZFS Delegated Permission Set

The following example creates a permission set @myset and grants the permission set and the renamepermission to the group staff for the tank file system. User cindys, a group staff member, hasthe ability to create a file system in tank but user lp has no permission to create a file system in tank.

# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly tank# zfs allow tank-------------------------------------------------------------Permission sets on (tank)

@myset clone,create,destroy,mount,promote,readonly,snapshot-------------------------------------------------------------

145


# zfs allow staff @myset,rename tank# zfs allow tank-------------------------------------------------------------Permission sets on (tank)

@myset clone,create,destroy,mount,promote,readonly,snapshotLocal+Descendent permissions on (tank)

group staff @myset,rename# chmod A+group:staff:add_subdirectory:fd:allow tank# su cindyscindys% zfs create tank/dataCindys% zfs allow tank-------------------------------------------------------------Permission sets on (tank)

@myset clone,create,destroy,mount,promote,readonly,snapshotLocal+Descendent permissions on (tank)

group staff @myset,rename-------------------------------------------------------------cindys% ls -l /tanktotal 15drwxr-xr-x 2 cindys staff 2 Aug 8 14:10 datacindys% exit# su lp$ zfs create tank/lpcannot create ’tank/lp’: permission denied

Removing ZFS Permission (Examples)

You can use the following command to remove granted permissions. For example, user cindys haspermission to create, mount, destroy, and snapshot in the tank/cindys file system.

# zfs allow cindys create,destroy,mount,snapshot tank/cindys# zfs allow tank/cindys-------------------------------------------------------------Local+Descendent permissions on (tank/cindys)

user cindys create,destroy,mount,snapshot-------------------------------------------------------------

This zfs unallow syntax removes user cindys’s snapshot permission from the tank/cindys filesystem.

# zfs unallow cindys snapshot tank/cindys# zfs allow tank/cindys-------------------------------------------------------------Local+Descendent permissions on (tank/cindys)

user cindys create,destroy,mount-------------------------------------------------------------cindys% zfs create tank/cindys/datacindys% zfs snapshot tank/cindys@todaycannot create snapshot ’tank/cindys@today’: permission denied

User marks has the following permissions in tank/marks.

# zfs allow tank/marks-------------------------------------------------------------Local+Descendent permissions on (tank/marks)

user marks create,destroy,mount-------------------------------------------------------------

146


The following zfs unallow syntax removes all permissions for user marks from tank/marks.

# zfs unallow marks tank/marks

The following zfs unallow syntax removes a permission set on the tank file system.

# zfs allow tank-------------------------------------------------------------Permission sets on (tank)

@myset clone,create,destroy,mount,promote,readonly,snapshotCreate time permissions on (tank)

create,destroy,mountLocal+Descendent permissions on (tank)

group staff create,mount-------------------------------------------------------------# zfs unallow -s @myset tank$ zfs allow tank-------------------------------------------------------------Create time permissions on (tank)

create,destroy,mountLocal+Descendent permissions on (tank)

group staff create,mount-------------------------------------------------------------

147

Chapter 9

ZFS Advanced Topics

This chapter describes ZFS volumes, using ZFS with zones, ZFS alternate root pools, and ZFS rightsprofiles.


• Section 9.1

• Section 9.2

• Section 9.3

• Section 9.4

9.1 ZFS Volumes

A ZFS volume is a dataset that represents a block device and can be used like any block device. ZFSvolumes are identified as devices in the /dev/zvol/{dsk,rdsk}/path directory.

In the following example, 5-Gbyte ZFS volume, tank/vol, is created:

# zfs create -V 5gb tank/vol

When you create a volume, a reservation is automatically set to the initial size of the volume. Thereservation size continues to equal the size of the volume so that unexpected behavior doesn’t occur.For example, if the size of the volume shrinks, data corruption might occur. You must be careful whenchanging the size of the volume.

In addition, if you create a snapshot of a volume that changes in size, you might introduce file systeminconsistencies if you attempt to rollback the snapshot or create a clone from the snapshot.

For information about file system properties that can be applied to volumes, see Table 5.1.

If you are using a system configured to use zones, you cannot create or clone a ZFS volume in a non-globalzone. Any attempt to do so will fail. For information about using ZFS volumes in a global zone, seeSection 9.2.

149

9. ZFS ADVANCED TOPICS

Using a ZFS Volume as a Swap or Dump Device

To set up a swap area, create a ZFS volume of a specific size and then enable swap on that device. Do notswap to a file on a ZFS file system. A ZFS swap file configuration is not supported.

In the following example, the 5-Gbyte tank/vol volume is added as a swap device.

# swap -a /dev/zvol/dsk/tank/vol# swap -lswapfile dev swaplo blocks free/dev/dsk/c0t0d0s1 32,33 16 1048688 1048688/dev/zvol/dsk/tank/vol 254,1 16 10485744 10485744

Using a ZFS volume as a dump device is not supported. Use the dumpadm command to set up a dumpdevice.

Using a ZFS Volume as a Solaris iSCSI Target

Solaris iSCSI targets and initiators are supported in the Solaris release.

In addition, you can easily create a ZFS volume as a iSCSI target by setting the shareiscsi propertyon the volume. For example:

# zfs create -V 2g tank/volumes/v2# zfs set shareiscsi=on tank/volumes/v2# iscsitadm list targetTarget: tank/volumes/v2


After the iSCSI target is created, set up the iSCSI initiator. For more information about Solaris iSCSItargets and initiators, see Chapter 14, Configuring Solaris iSCSI Targets and Initiators (Tasks), in SystemAdministration Guide: Devices and File Systems.

NoteSolaris iSCSI targets can also be created and managed with iscsitadm command. If you set theshareiscsi property on a ZFS volume, do not use the iscsitadm command to also create the sametarget device. Otherwise, you will end up with duplicate target information for the same device.

A ZFS volume as an iSCSI target is managed just like another ZFS dataset. However, the rename, export,and import operations work a little differently for iSCSI targets.

• When you rename a ZFS volume, the iSCSI target name remains the same. For example:

# zfs rename tank/volumes/v2 tank/volumes/v1# iscsitadm list targetTarget: tank/volumes/v1


• Exporting a pool that contains a shared ZFS volume causes the target to be removed. Importing a poolthat contains a shared ZFS volume causes the target to be shared. For example:

150

9.2. Using ZFS With Zones

# zpool export tank# iscsitadm list target# zpool import tank# iscsitadm list targetTarget: tank/volumes/v1


All iSCSI target configuration information is stored within the dataset. Like an NFS shared file system, aniSCSI target that is imported on a different system is shared appropriately.

9.2 Using ZFS With Zones

The following sections describe how to use ZFS with zones.

• Section 9.2

• Section 9.2

• Section 9.2

• Section 9.2

• Section 9.2

• Section 9.2

Keep the following points in mind when associating ZFS datasets with zones:

• You can add a ZFS file system or a ZFS clone to a non-global with or without delegating administrativecontrol.

• You can add a ZFS volume as a device to non-global zones

• You cannot associate ZFS snapshots with zones at this time

• Do not use a ZFS file system for a global zone root path or a non-global zone root path in the Solaris10 releases. You can use ZFS as a zone root path in the Solaris Express releases, but keep in mind thatpatching or upgrading these zones is not supported.

In the sections below, a ZFS dataset refers to a file system or clone.

Adding a dataset allows the non-global zone to share space with the global zone, though the zoneadministrator cannot control properties or create new file systems in the underlying file system hierarchy.This is identical to adding any other type of file system to a zone, and should be used when the primarypurpose is solely to share common space.

ZFS also allows datasets to be delegated to a non-global zone, giving complete control over the datasetand all its children to the zone administrator. The zone administrator can create and destroy file systems orclones within that dataset, and modify properties of the datasets. The zone administrator cannot affectdatasets that have not been added to the zone, and cannot exceed any top-level quotas set on the exporteddataset.

Consider the following interactions when working with ZFS on a system configured to use zones:

151


• A ZFS file system that is added to a non-global zone must have its mountpoint property set to legacy.

• When a source zonepath and the target zonepath both reside on ZFS and are in the same pool,zoneadm clone will now automatically use ZFS clone to clone a zone. The zoneadm clone commandwill take a ZFS snapshot of the source zonepath and set up the target zonepath. You cannot use thezfs clone command to clone a zone. For more information, see Part II, Zones, in System AdministrationGuide: Virtualization Using the Solaris Operating System.

Adding ZFS File Systems to a Non-Global Zone

You can add a ZFS file system as a generic file system when the goal is solely to share space with theglobal zone. A ZFS file system that is added to a non-global zone must have its mountpoint propertyset to legacy.

You can add a ZFS file system to a non-global zone by using the zonecfg command’s add fs subcom-mand. For example:

In the following example, a ZFS file system is added to a non-global zone by a global administrator in theglobal zone.# zonecfg -z zionzonecfg:zion> add fszonecfg:zion:fs> set type=zfszonecfg:zion:fs> set special=tank/zone/zionzonecfg:zion:fs> set dir=/export/sharedzonecfg:zion:fs> end

This syntax adds the ZFS file system, tank/zone/zion, to the already configured zion zone, mountedat /export/shared. The mountpoint property of the file system must be set to legacy, and the filesystem cannot already be mounted in another location. The zone administrator can create and destroyfiles within the file system. The file system cannot be remounted in a different location, nor can the zoneadministrator change properties on the file system such as atime, readonly, compression, and so on. Theglobal zone administrator is responsible for setting and controlling properties of the file system.

For more information about the zonecfg command and about configuring resource types with zonecfg,see Part II, Zones, in System Administration Guide: Virtualization Using the Solaris Operating System.

Delegating Datasets to a Non-Global Zone

If the primary goal is to delegate the administration of storage to a zone, then ZFS supports adding datasetsto a non-global zone through use of the zonecfg command’s add dataset subcommand.

In the following example, a ZFS file system is delegated to a non-global zone by a global administrator inthe global zone.# zonecfg -z zionzonecfg:zion> add datasetzonecfg:zion:dataset> set name=tank/zone/zionzonecfg:zion:dataset> end

Unlike adding a file system, this syntax causes the ZFS file system tank/zone/zion to be visiblewithin the already configured zion zone. The zone administrator can set file system properties, as wellas create children. In addition, the zone administrator can take snapshots, create clones, and otherwisecontrol the entire file system hierarchy.

For more information about what actions are allowed within zones, see Section 9.2.

152

9.2. Using ZFS With Zones

Adding ZFS Volumes to a Non-Global Zone

ZFS volumes cannot be added to a non-global zone by using the zonecfg command’s add datasetsubcommand. If an attempt to add an ZFS volume is detected, the zone cannot boot. However, volumescan be added to a zone by using the zonecfg command’s add device subcommand.

In the following example, a ZFS volume is added to a non-global zone by a global administrator in theglobal zone:

# zonecfg -z zionzion: No such zone configuredUse ’create’ to begin configuring a new zone.zonecfg:zion> createzonecfg:zion> add devicezonecfg:zion:device> set match=/dev/zvol/dsk/tank/volzonecfg:zion:device> end

This syntax exports the tank/vol volume to the zone. Note that adding a raw volume to a zone hasimplicit security risks, even if the volume doesn’t correspond to a physical device. In particular, the zoneadministrator could create malformed file systems that would panic the system when a mount is attempted.For more information about adding devices to zones and the related security risks, see Section 9.2.

For more information about adding devices to zones, see Part II, Zones, in System Administration Guide:Virtualization Using the Solaris Operating System.

Using ZFS Storage Pools Within a Zone

ZFS storage pools cannot be created or modified within a zone. The delegated administration modelcentralizes control of physical storage devices within the global zone and control of virtual storage to non-global zones. While a pool-level dataset can be added to a zone, any command that modifies the physicalcharacteristics of the pool, such as creating, adding, or removing devices, is not allowed from withina zone. Even if physical devices are added to a zone by using the zonecfg command’s add devicesubcommand, or if files are used, the zpool command does not allow the creation of any new pools withinthe zone.

Managing ZFS Properties Within a Zone

After a dataset is added to a zone, the zone administrator can control specific dataset properties. Whena dataset is added to a zone, all its ancestors are visible as read-only datasets, while the dataset itself iswritable as are all of its children. For example, consider the following configuration:

global# zfs list -Ho nametanktank/hometank/datatank/data/matrixtank/data/ziontank/data/zion/home

If tank/data/zion is added to a zone, each dataset would have the following properties.

153


Dataset Visible Writable ImmutableProperties

tank Yes No -tank/home No - -tank/data Yes No -tank/data/matrix

No - -

tank/data/zion Yes Yessharenfs, zoned, quota,reservation

tank/data/zion/home

Yes Yes sharenfs, zoned

Note that every parent of tank/zone/zion is visible read-only, all children are writable, and datasetsthat are not part of the parent hierarchy are not visible at all. The zone administrator cannot change thesharenfs property, because non-global zones cannot act as NFS servers. Neither can the zone administratorchange the zoned property, because doing so would expose a security risk as described in the nextsection.

Any other settable property can be changed, except for the quota property, and the dataset itself. Thisbehavior allows the global zone administrator to control the space consumption of all datasets used by thenon-global zone.

In addition, the sharenfs and mountpoint properties cannot be changed by the global zone administratoronce a dataset has been added to a non-global zone.

Understanding the zoned Property

When a dataset is added to a non-global zone, the dataset must be specially marked so that certainproperties are not interpreted within the context of the global zone. After a dataset has been added to anon-global zone under the control of a zone administrator, its contents can no longer be trusted. As withany file system, there might be setuid binaries, symbolic links, or otherwise questionable contents thatmight adversely affect the security of the global zone. In addition, the mountpoint property cannot beinterpreted in the context of the global zone. Otherwise, the zone administrator could affect the globalzone’s namespace. To address the latter, ZFS uses the zoned property to indicate that a dataset has beendelegated to a non-global zone at one point in time.

The zoned property is a boolean value that is automatically turned on when a zone containing a ZFS datasetis first booted. A zone administrator will not need to manually turn on this property. If the zoned propertyis set, the dataset cannot be mounted or shared in the global zone, and is ignored when the zfs share -acommand or the zfs mount -a command is executed. In the following example, tank/zone/zion hasbeen added to a zone, while tank/zone/global has not:

# zfs list -o name,zoned,mountpoint -r tank/zoneNAME ZONED MOUNTPOINTtank/zone/global off /tank/zone/globaltank/zone/zion on /tank/zone/zion# zfs mounttank/zone/global /tank/zone/globaltank/zone/zion /export/zone/zion/root/tank/zone/zion

154

9.3. Using ZFS Alternate Root Pools

Note the difference between the mountpoint property and the directory where the tank/zone/ziondataset is currently mounted. The mountpoint property reflects the property as stored on disk, not wherethe dataset is currently mounted on the system.

When a dataset is removed from a zone or a zone is destroyed, the zoned property is not automaticallycleared. This behavior is due to the inherent security risks associated with these tasks. Because an untrusteduser has had complete access to the dataset and its children, the mountpoint property might be set to badvalues, or setuid binaries might exist on the file systems.

To prevent accidental security risks, the zoned property must be manually cleared by the global adminis-trator if you want to reuse the dataset in any way. Before setting the zoned property to off, make surethat the mountpoint property for the dataset and all its children are set to reasonable values and that nosetuid binaries exist, or turn off the setuid property.

After you have verified that no security vulnerabilities are left, the zoned property can be turned off byusing the zfs set or zfs inherit commands. If the zoned property is turned off while a dataset is in usewithin a zone, the system might behave in unpredictable ways. Only change the property if you are surethe dataset is no longer in use by a non-global zone.

9.3 Using ZFS Alternate Root Pools

When a pool is created, the pool is intrinsically tied to the host system. The host system maintainsknowledge about the pool so that it can detect when the pool is otherwise unavailable. While useful fornormal operation, this knowledge can prove a hindrance when booting from alternate media, or creating apool on removable media. To solve this problem, ZFS provides an alternate root pool feature. An alternateroot pool does not persist across system reboots, and all mount points are modified to be relative to theroot of the pool.

Creating ZFS Alternate Root Pools

The most common use for creating an alternate root pool is for use with removable media. In thesecircumstances, users typically want a single file system, and they want it to be mounted wherever theychoose on the target system. When an alternate root pool is created by using the -R option, the mountpoint of the root file system is automatically set to /, which is the equivalent of the alternate root itself.

In the following example, a pool called morpheus is created with /mnt as the alternate root path:

# zpool create -R /mnt morpheus c0t0d0# zfs list morpheusNAME USED AVAIL REFER MOUNTPOINTmorpheus 32.5K 33.5G 8K /mnt/

Note the single file system, morpheus, whose mount point is the alternate root of the pool, /mnt. Themount point that is stored on disk is / and the full path to /mnt is interpreted only in the context of thealternate root pool. This file system can then be exported and imported under an arbitrary alternate rootpool on a different system.

Importing Alternate Root Pools

Pools can also be imported using an alternate root. This feature allows for recovery situations, wherethe mount points should not be interpreted in context of the current root, but under some temporary

155


directory where repairs can be performed. This feature also can be used when mounting removable mediaas described above.

In the following example, a pool called morpheus is imported with /mnt as the alternate root path. Thisexample assumes that morpheus was previously exported.

# zpool import -R /mnt morpheus# zpool list morpheusNAME SIZE USED AVAIL CAP HEALTH ALTROOTmorpheus 33.8G 68.0K 33.7G 0% ONLINE /mnt# zfs list morpheusNAME USED AVAIL REFER MOUNTPOINTmorpheus 32.5K 33.5G 8K /mnt/morpheus

9.4 ZFS Rights Profiles

If you want to perform ZFS management tasks without using the superuser (root) account, you can assumea role with either of the following profiles to perform ZFS administration tasks:

• ZFS Storage Management – Provides the ability to create, destroy, and manipulate devices within a ZFSstorage pool

• ZFS File system Management – Provides the ability to create, destroy, and modify ZFS file systems

For more information about creating or assigning roles, see System Administration Guide: SecurityServices.

In addition to using RBAC roles for administering ZFS file systems, you might also consider using ZFSdelegated administration for distributed ZFS administration tasks. For more information, see Chapter 8.

156

Chapter 10

ZFS Troubleshooting and Data Recovery

This chapter describes how to identify and recover from ZFS failure modes. Information for preventingfailures is provided as well.


• Section 10.1

• Section 10.2

• Section 10.3

• Section 10.4

• Section 10.5

• Section 10.6

• Section 10.7

• Section 10.8

10.1 ZFS Failure Modes

As a combined file system and volume manager, ZFS can exhibit many different failure modes. Thischapter begins by outlining the various failure modes, then discusses how to identify them on a runningsystem. This chapter concludes by discussing how to repair the problems. ZFS can encounter three basictypes of errors:

• Section 10.1

• Section 10.1

• Section 10.1

Note that a single pool can experience all three errors, so a complete repair procedure involves finding andcorrecting one error, proceeding to the next error, and so on.

157

10. ZFS TROUBLESHOOTING AND DATA RECOVERY

Missing Devices in a ZFS Storage Pool

If a device is completely removed from the system, ZFS detects that the device cannot be opened andplaces it in the FAULTED state. Depending on the data replication level of the pool, this might or mightnot result in the entire pool becoming unavailable. If one disk in a mirrored or RAID-Z device is removed,the pool continues to be accessible. If all components of a mirror are removed, if more than one device ina RAID-Z device is removed, or if a single-disk, top-level device is removed, the pool becomes FAULTED.No data is accessible until the device is reattached.

Damaged Devices in a ZFS Storage Pool

The term “damaged” covers a wide variety of possible errors. Examples include the following errors:

• Transient I/O errors due to a bad disk or controller

• On-disk data corruption due to cosmic rays

• Driver bugs resulting in data being transferred to or from the wrong location

• Simply another user overwriting portions of the physical device by accident

In some cases, these errors are transient, such as a random I/O error while the controller is havingproblems. In other cases, the damage is permanent, such as on-disk corruption. Even still, whether thedamage is permanent does not necessarily indicate that the error is likely to occur again. For example, ifan administrator accidentally overwrites part of a disk, no type of hardware failure has occurred, and thedevice need not be replaced. Identifying exactly what went wrong with a device is not an easy task and iscovered in more detail in a later section.

Corrupted ZFS Data

Data corruption occurs when one or more device errors (indicating missing or damaged devices) affectsa top-level virtual device. For example, one half of a mirror can experience thousands of device errorswithout ever causing data corruption. If an error is encountered on the other side of the mirror in the exactsame location, corrupted data will be the result.

Data corruption is always permanent and requires special consideration during repair. Even if the under-lying devices are repaired or replaced, the original data is lost forever. Most often this scenario requiresrestoring data from backups. Data errors are recorded as they are encountered, and can be controlledthrough routine disk scrubbing as explained in the following section. When a corrupted block is removed,the next scrubbing pass recognizes that the corruption is no longer present and removes any trace of theerror from the system.

10.2 Checking ZFS Data Integrity

No fsck utility equivalent exists for ZFS. This utility has traditionally served two purposes, data repairand data validation.

158

10.2. Checking ZFS Data Integrity

Data Repair

With traditional file systems, the way in which data is written is inherently vulnerable to unexpected failurecausing data inconsistencies. Because a traditional file system is not transactional, unreferenced blocks,bad link counts, or other inconsistent data structures are possible. The addition of journaling does solvesome of these problems, but can introduce additional problems when the log cannot be rolled back. WithZFS, none of these problems exist. The only way for inconsistent data to exist on disk is through hardwarefailure (in which case the pool should have been redundant) or a bug in the ZFS software exists.

Given that the fsck utility is designed to repair known pathologies specific to individual file systems,writing such a utility for a file system with no known pathologies is impossible. Future experience mightprove that certain data corruption problems are common enough and simple enough such that a repairutility can be developed, but these problems can always be avoided by using redundant pools.

If your pool is not redundant, the chance that data corruption can render some or all of your data inaccessibleis always present.

Data Validation

In addition to data repair, the fsck utility validates that the data on disk has no problems. Traditionally,this task is done by unmounting the file system and running the fsck utility, possibly taking the system tosingle-user mode in the process. This scenario results in downtime that is proportional to the size of thefile system being checked. Instead of requiring an explicit utility to perform the necessary checking, ZFSprovides a mechanism to perform routine checking of all data. This functionality, known as scrubbing, iscommonly used in memory and other systems as a method of detecting and preventing errors before theyresult in hardware or software failure.

Controlling ZFS Data Scrubbing

Whenever ZFS encounters an error, either through scrubbing or when accessing a file on demand, the erroris logged internally so that you can get a quick overview of all known errors within the pool.

Explicit ZFS Data Scrubbing

The simplest way to check your data integrity is to initiate an explicit scrubbing of all data within thepool. This operation traverses all the data in the pool once and verifies that all blocks can be read.Scrubbing proceeds as fast as the devices allow, though the priority of any I/O remains below that ofnormal operations. This operation might negatively impact performance, though the file system shouldremain usable and nearly as responsive while the scrubbing occurs. To initiate an explicit scrub, use thezpool scrub command. For example:

# zpool scrub tank

The status of the current scrub can be displayed in the zpool status output. For example:

# zpool status -v tankpool: tank

state: ONLINEscrub: scrub completed with 0 errors on Wed Aug 30 14:02:24 2006config:

159




Note that only one active scrubbing operation per pool can occur at one time.

You can stop a scrub that is in progress by using the -s option. For example:

# zpool scrub -s tank

In most cases, a scrub operation to ensure data integrity should continue to completion. Stop a scrub atyour own discretion if system performance is impacted by a scrub operation.

Performing routine scrubbing also guarantees continuous I/O to all disks on the system. Routine scrubbinghas the side effect of preventing power management from placing idle disks in low-power mode. If thesystem is generally performing I/O all the time, or if power consumption is not a concern, then this issuecan safely be ignored.

For more information about interpreting zpool status output, see Section 4.6.

ZFS Data Scrubbing and Resilvering

When a device is replaced, a resilvering operation is initiated to move data from the good copies to thenew device. This action is a form of disk scrubbing. Therefore, only one such action can happen at agiven time in the pool. If a scrubbing operation is in progress, a resilvering operation suspends the currentscrubbing, and restarts it after the resilvering is complete.

For more information about resilvering, see Section 10.6.

10.3 Identifying Problems in ZFS

The following sections describe how to identify problems in your ZFS file systems or storage pools.

• Section 10.3

• Section 10.3

• Section 10.3

You can use the following features to identify problems with your ZFS configuration:

• Detailed ZFS storage pool information with the zpool status command

• Pool and device failures are reported with ZFS/FMA diagnostic messages

• Previous ZFS commands that modified pool state information can be displayed with the zpool historycommand

160

10.3. Identifying Problems in ZFS

Most ZFS troubleshooting is centered around the zpool status command. This command analyzes thevarious failures in the system and identifies the most severe problem, presenting you with a suggestedaction and a link to a knowledge article for more information. Note that the command only identifies asingle problem with the pool, though multiple problems can exist. For example, data corruption errorsalways imply that one of the devices has failed. Replacing the failed device does not fix the data corruptionproblems.

In addition, a ZFS diagnostic engine is provided to diagnose and report pool failures and device failures.Checksum, I/O, device, and pool errors associated with pool or device failures are also reported. ZFSfailures as reported by fmd are displayed on the console as well as the system messages file. In most cases,the fmd message directs you to the zpool status command for further recovery instructions.

The basic recovery process is as follows:

• If appropriate, use the zpool history command to identify the previous ZFS commands that led up tothe error scenario. For example:

# zpool historyHistory for ’tank’:2007-04-25.10:19:42 zpool create tank mirror c0t8d0 c0t9d0 c0t10d02007-04-25.10:19:45 zfs create tank/erick2007-04-25.10:19:55 zfs set checksum=off tank/erick

Notice in the above output that checksums are disabled for the tank/erick file system. This configu-ration is not recommended.

• Identify the errors through the fmd messages that are displayed on the system console or in the/var/adm/messages files.

• Find further repair instructions in the zpool status -x command.

• Repair the failures, such as:

– Replace the faulted or missing device and bring it online.

– Restore the faulted configuration or corrupted data from a backup.

– Verify the recovery by using the zpool status -x command.

– Back up your restored configuration, if applicable.

This chapter describes how to interpret zpool status output in order to diagnose the type of failure anddirects you to one of the following sections on how to repair the problem. While most of the work isperformed automatically by the command, it is important to understand exactly what problems are beingidentified in order to diagnose the type of failure.

Determining if Problems Exist in a ZFS Storage Pool

The easiest way to determine if any known problems exist on the system is to use the zpool status -xcommand. This command describes only pools exhibiting problems. If no bad pools exist on the system,then the command displays a simple message, as follows:

# zpool status -xall pools are healthy

161


Without the -x flag, the command displays the complete status for all pools (or the requested pool, ifspecified on the command line), even if the pools are otherwise healthy.

For more information about command-line options to the zpool status command, see Section 4.6.

Reviewing zpool status Output

The complete zpool status output looks similar to the following:

# zpool status tankpool: tank

state: DEGRADEDstatus: One or more devices has been taken offline by the administrator.

Sufficient replicas exist for the pool to continue functioning in adegraded state.

action: Online the device using ’zpool online’ or replace the device with’zpool replace’.


NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 0mirror DEGRADED 0 0 0c1t0d0 ONLINE 0 0 0c1t1d0 OFFLINE 0 0 0


This output is divided into several sections:

Overall Pool Status Information

This header section in the zpool status output contains the following fields, some of which are onlydisplayed for pools exhibiting problems:

poolThe name of the pool.

stateThe current health of the pool. This information refers only to the ability of the pool to providethe necessary replication level. Pools that are ONLINE might still have failing devices or datacorruption.

statusA description of what is wrong with the pool. This field is omitted if no problems are found.

actionA recommended action for repairing the errors. This field is an abbreviated form directing the userto one of the following sections. This field is omitted if no problems are found.

see A reference to a knowledge article containing detailed repair information. Online articles are updatedmore often than this guide can be updated, and should always be referenced for the most up-to-daterepair procedures. This field is omitted if no problems are found.

162

10.3. Identifying Problems in ZFS

scrubIdentifies the current status of a scrub operation, which might include the date and time that the lastscrub was completed, a scrub in progress, or if no scrubbing was requested.

errorsIdentifies known data errors or the absence of known data errors.

Configuration Information

The config field in the zpool status output describes the configuration layout of the devices comprisingthe pool, as well as their state and any errors generated from the devices. The state can be one of thefollowing: ONLINE, FAULTED, DEGRADED, UNAVAILABLE, or OFFLINE. If the state is anything butONLINE, the fault tolerance of the pool has been compromised.

The second section of the configuration output displays error statistics. These errors are divided into threecategories:

• READ – I/O error occurred while issuing a read request.

• WRITE – I/O error occurred while issuing a write request.

• CKSUM – Checksum error. The device returned corrupted data as the result of a read request.

These errors can be used to determine if the damage is permanent. A small number of I/O errors mightindicate a temporary outage, while a large number might indicate a permanent problem with the device.These errors do not necessarily correspond to data corruption as interpreted by applications. If the deviceis in a redundant configuration, the disk devices might show uncorrectable errors, while no errors appearat the mirror or RAID-Z device level. If this scenario is the case, then ZFS successfully retrieved the gooddata and attempted to heal the damaged data from existing replicas.

For more information about interpreting these errors to determine device failure, see Section 10.6.

Finally, additional auxiliary information is displayed in the last column of the zpool status output. Thisinformation expands on the state field, aiding in diagnosis of failure modes. If a device is FAULTED,this field indicates whether the device is inaccessible or whether the data on the device is corrupted. If thedevice is undergoing resilvering, this field displays the current progress.

For more information about monitoring resilvering progress, see Section 10.6.

Scrubbing Status

The third section of the zpool status output describes the current status of any explicit scrubs. Thisinformation is distinct from whether any errors are detected on the system, though this information can beused to determine the accuracy of the data corruption error reporting. If the last scrub ended recently, mostlikely, any known data corruption has been discovered.

For more information about data scrubbing and how to interpret this information, see Section 10.2.

163


Data Corruption Errors

The zpool status command also shows whether any known errors are associated with the pool. Theseerrors might have been found during disk scrubbing or during normal operation. ZFS maintains a persistentlog of all data errors associated with the pool. This log is rotated whenever a complete scrub of the systemfinishes.

Data corruption errors are always fatal. Their presence indicates that at least one application experiencedan I/O error due to corrupt data within the pool. Device errors within a redundant pool do not result indata corruption and are not recorded as part of this log. By default, only the number of errors found isdisplayed. A complete list of errors and their specifics can be found by using the zpool status -v option.For example:

# zpool status -vpool: tank

state: DEGRADEDstatus: One or more devices has experienced an error resulting in data

corruption. Applications may be affected.action: Restore the file in question if possible. Otherwise restore the

entire pool from backup.see: http://illumos.org/msg/ZFS-8000-8A

scrub: resilver completed with 1 errors on Fri Mar 17 15:42:18 2006config:

NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 1mirror DEGRADED 0 0 1c1t0d0 ONLINE 0 0 2c1t1d0 UNAVAIL 0 0 0 corrupted data

errors: The following persistent errors have been detected:

DATASET OBJECT RANGE5 0 lvl=4294967295 blkid=0

A similar message is also displayed by fmd on the system console and the /var/adm/messages file.These messages can also be tracked by using the fmdump command.

For more information about interpreting data corruption errors, see Section 10.7.

System Reporting of ZFS Error Messages

In addition to persistently keeping track of errors within the pool, ZFS also displays syslog messageswhen events of interest occur. The following scenarios generate events to notify the administrator:

• Device state transition – If a device becomes FAULTED, ZFS logs a message indicating that the faulttolerance of the pool might be compromised. A similar message is sent if the device is later broughtonline, restoring the pool to health.

• Data corruption – If any data corruption is detected, ZFS logs a message describing when and wherethe corruption was detected. This message is only logged the first time it is detected. Subsequent accessesdo not generate a message.

• Pool failures and device failures – If a pool failure or device failure occurs, the fault manager daemonreports these errors through syslog messages as well as the fmdump command.

164

10.4. Repairing a Damaged ZFS Configuration

If ZFS detects a device error and automatically recovers from it, no notification occurs. Such errors do notconstitute a failure in the pool redundancy or data integrity. Moreover, such errors are typically the resultof a driver problem accompanied by its own set of error messages.

10.4 Repairing a Damaged ZFS Configuration

ZFS maintains a cache of active pools and their configuration on the root file system. If this file is corruptedor somehow becomes out of sync with what is stored on disk, the pool can no longer be opened. ZFS triesto avoid this situation, though arbitrary corruption is always possible given the qualities of the underlyingfile system and storage. This situation typically results in a pool disappearing from the system when itshould otherwise be available. This situation can also manifest itself as a partial configuration that ismissing an unknown number of top-level virtual devices. In either case, the configuration can be recoveredby exporting the pool (if it is visible at all), and re-importing it.

For more information about importing and exporting pools, see Section 4.7.

10.5 Repairing a Missing Device

If a device cannot be opened, it displays as UNAVAILABLE in the zpool status output. This status meansthat ZFS was unable to open the device when the pool was first accessed, or the device has since becomeunavailable. If the device causes a top-level virtual device to be unavailable, then nothing in the pool canbe accessed. Otherwise, the fault tolerance of the pool might be compromised. In either case, the devicesimply needs to be reattached to the system to restore normal operation.

For example, you might see a message similar to the following from fmd after a device failure:SUNW-MSG-ID: ZFS-8000-D3, TYPE: Fault, VER: 1, SEVERITY: MajorEVENT-TIME: Thu Aug 31 11:40:59 MDT 2006PLATFORM: SUNW,Sun-Blade-1000, CSN: -, HOSTNAME: tankSOURCE: zfs-diagnosis, REV: 1.0EVENT-ID: e11d8245-d76a-e152-80c6-e63763ed7e4eDESC: A ZFS device failed. Refer to http://illumos.org/msg/ZFS-8000-D3 for more information.AUTO-RESPONSE: No automated response will occur.IMPACT: Fault tolerance of the pool may be compromised.REC-ACTION: Run ’zpool status -x’ and replace the bad device.

The next step is to use the zpool status -x command to view more detailed information about the deviceproblem and the resolution. For example:# zpool status -xpool: tank

state: DEGRADEDstatus: One or more devices could not be opened. Sufficient replicas exist for

the pool to continue functioning in a degraded state.action: Attach the missing device and online it using ’zpool online’.

see: http://illumos.org/msg/ZFS-8000-D3scrub: resilver completed with 0 errors on Thu Aug 31 11:45:59 MDT 2006

config:

NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 0mirror DEGRADED 0 0 0c0t1d0 UNAVAIL 0 0 0 cannot openc1t1d0 ONLINE 0 0 0

165


You can see from this output that the missing device c0t1d0 is not functioning. If you determine that thedrive is faulty, replace the device.

Then, use the zpool online command to online the replaced device. For example:

# zpool online tank c0t1d0

Confirm that the pool with the replaced device is healthy.

# zpool status -x tankpool ’tank’ is healthy

Physically Reattaching the Device

Exactly how a missing device is reattached depends on the device in question. If the device is a network-attached drive, connectivity should be restored. If the device is a USB or other removable media, it shouldbe reattached to the system. If the device is a local disk, a controller might have failed such that thedevice is no longer visible to the system. In this case, the controller should be replaced at which pointthe disks will again be available. Other pathologies can exist and depend on the type of hardware and itsconfiguration. If a drive fails and it is no longer visible to the system (an unlikely event), the device shouldbe treated as a damaged device. Follow the procedures outlined in Section 10.6.

Notifying ZFS of Device Availability

Once a device is reattached to the system, ZFS might or might not automatically detect its availability.If the pool was previously faulted, or the system was rebooted as part of the attach procedure, then ZFSautomatically rescans all devices when it tries to open the pool. If the pool was degraded and the devicewas replaced while the system was up, you must notify ZFS that the device is now available and ready tobe reopened by using the zpool online command. For example:

# zpool online tank c0t1d0

For more information about bringing devices online, see Section 4.4.

10.6 Repairing a Damaged Device

This section describes how to determine device failure types, clear transient errors, and replace a device.

Determining the Type of Device Failure

The term damaged device is rather vague, and can describe a number of possible situations:

• Bit rot – Over time, random events, such as magnetic influences and cosmic rays, can cause bits storedon disk to flip in unpredictable events. These events are relatively rare but common enough to causepotential data corruption in large or long-running systems. These errors are typically transient.

• Misdirected reads or writes – Firmware bugs or hardware faults can cause reads or writes of entireblocks to reference the incorrect location on disk. These errors are typically transient, though a largenumber might indicate a faulty drive.

166

10.6. Repairing a Damaged Device

• Administrator error – Administrators can unknowingly overwrite portions of the disk with bad data(such as copying /dev/zero over portions of the disk) that cause permanent corruption on disk. Theseerrors are always transient.

• Temporary outage– A disk might become unavailable for a period time, causing I/Os to fail. Thissituation is typically associated with network-attached devices, though local disks can experiencetemporary outages as well. These errors might or might not be transient.

• Bad or flaky hardware – This situation is a catch-all for the various problems that bad hardwareexhibits. This could be consistent I/O errors, faulty transports causing random corruption, or any numberof failures. These errors are typically permanent.

• Offlined device – If a device is offline, it is assumed that the administrator placed the device in thisstate because it is presumed faulty. The administrator who placed the device in this state can determineis this assumption is accurate.

Determining exactly what is wrong can be a difficult process. The first step is to examine the error countsin the zpool status output as follows:

# zpool status -v pool

The errors are divided into I/O errors and checksum errors, both of which might indicate the possiblefailure type. Typical operation predicts a very small number of errors (just a few over long periods of time).If you are seeing large numbers of errors, then this situation probably indicates impending or completedevice failure. However, the pathology for administrator error can result in large error counts. The othersource of information is the system log. If the log shows a large number of SCSI or fibre channel drivermessages, then this situation probably indicates serious hardware problems. If no syslog messages aregenerated, then the damage is likely transient.

The goal is to answer the following question:

Is another error likely to occur on this device?

Errors that happen only once are considered transient, and do not indicate potential failure. Errors thatare persistent or severe enough to indicate potential hardware failure are considered “fatal.” The act ofdetermining the type of error is beyond the scope of any automated software currently available withZFS, and so much must be done manually by you, the administrator. Once the determination is made, theappropriate action can be taken. Either clear the transient errors or replace the device due to fatal errors.These repair procedures are described in the next sections.

Even if the device errors are considered transient, it still may have caused uncorrectable data errors withinthe pool. These errors require special repair procedures, even if the underlying device is deemed healthyor otherwise repaired. For more information on repairing data errors, see Section 10.7.

Clearing Transient Errors

If the device errors are deemed transient, in that they are unlikely to effect the future health of the device,then the device errors can be safely cleared to indicate that no fatal error occurred. To clear error countersfor RAID-Z or mirrored devices, use the zpool clear command. For example:

# zpool clear tank c1t0d0

167


This syntax clears any errors associated with the device and clears any data error counts associated withthe device.

To clear all errors associated with the virtual devices in the pool, and clear any data error counts associatedwith the pool, use the following syntax:

# zpool clear tank

For more information about clearing pool errors, see Section 4.4.

Replacing a Device in a ZFS Storage Pool

If device damage is permanent or future permanent damage is likely, the device must be replaced. Whetherthe device can be replaced depends on the configuration.

• Section 10.6

• Section 10.6

• Section 10.6

• Section 10.6

Determining if a Device Can Be Replaced

For a device to be replaced, the pool must be in the ONLINE state. The device must be part of a redundantconfiguration, or it must be healthy (in the ONLINE state). If the disk is part of a redundant configuration,sufficient replicas from which to retrieve good data must exist. If two disks in a four-way mirror arefaulted, then either disk can be replaced because healthy replicas are available. However, if two disks in afour-way RAID-Z device are faulted, then neither disk can be replaced because not enough replicas fromwhich to retrieve data exist. If the device is damaged but otherwise online, it can be replaced as long as thepool is not in the FAULTED state. However, any bad data on the device is copied to the new device unlessthere are sufficient replicas with good data.

In the following configuration, the disk c1t1d0 can be replaced, and any data in the pool is copied fromthe good replica, c1t0d0.

mirror DEGRADEDc1t0d0 ONLINEc1t1d0 FAULTED

The disk c1t0d0 can also be replaced, though no self-healing of data can take place because no goodreplica is available.

In the following configuration, neither of the faulted disks can be replaced. The ONLINE disks cannot bereplaced either, because the pool itself is faulted.

raidz FAULTEDc1t0d0 ONLINEc2t0d0 FAULTEDc3t0d0 FAULTEDc3t0d0 ONLINE

168

10.6. Repairing a Damaged Device

In the following configuration, either top-level disk can be replaced, though any bad data present on thedisk is copied to the new disk.

c1t0d0 ONLINEc1t1d0 ONLINE

If either disk were faulted, then no replacement could be performed because the pool itself would befaulted.

Devices That Cannot be Replaced

If the loss of a device causes the pool to become faulted, or the device contains too many data errors in annon-redundant configuration, then the device cannot safely be replaced. Without sufficient redundancy, nogood data with which to heal the damaged device exists. In this case, the only option is to destroy the pooland re-create the configuration, restoring your data in the process.

For more information about restoring an entire pool, see Section 10.7.

Replacing a Device in a ZFS Storage Pool

Once you have determined that a device can be replaced, use the zpool replace command to replace thedevice. If you are replacing the damaged device with another different device, use the following command:

# zpool replace tank c1t0d0 c2t0d0

This command begins migrating data to the new device from the damaged device, or other devices in thepool if it is in a redundant configuration. When the command is finished, it detaches the damaged devicefrom the configuration, at which point the device can be removed from the system. If you have alreadyremoved the device and replaced it with a new device in the same location, use the single device form ofthe command. For example:

# zpool replace tank c1t0d0

This command takes an unformatted disk, formats it appropriately, and then begins resilvering data fromthe rest of the configuration.

For more information about the zpool replace command, see Section 4.4.

Viewing Resilvering Status

The process of replacing a drive can take an extended period of time, depending on the size of the driveand the amount of data in the pool. The process of moving data from one device to another device isknown as resilvering, and can be monitored by using the zpool status command.

Traditional file systems resilver data at the block level. Because ZFS eliminates the artificial layering ofthe volume manager, it can perform resilvering in a much more powerful and controlled manner. The twomain advantages of this feature are as follows:

• ZFS only resilvers the minimum amount of necessary data. In the case of a short outage (as opposed to acomplete device replacement), the entire disk can be resilvered in a matter of minutes or seconds, ratherthan resilvering the entire disk, or complicating matters with “dirty region” logging that some volume

169


managers support. When an entire disk is replaced, the resilvering process takes time proportional to theamount of data used on disk. Replacing a 500-Gbyte disk can take seconds if only a few gigabytes ofused space is in the pool.

• Resilvering is interruptible and safe. If the system loses power or is rebooted, the resilvering processresumes exactly where it left off, without any need for manual intervention.

To view the resilvering process, use the zpool status command. For example:


state: DEGRADEDreason: One or more devices is being resilvered.action: Wait for the resilvering process to complete.

see: http://illumos.org/msg/ZFS-XXXX-08scrub: none requestedconfig:

NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 0mirror DEGRADED 0 0 0replacing DEGRADED 0 0 0 52% resilveredc1t0d0 ONLINE 0 0 0c2t0d0 ONLINE 0 0 0

c1t1d0 ONLINE 0 0 0

In this example, the disk c1t0d0 is being replaced by c2t0d0. This event is observed in the statusoutput by presence of the replacing virtual device in the configuration. This device is not real, nor is itpossible for you to create a pool by using this virtual device type. The purpose of this device is solely todisplay the resilvering process, and to identify exactly which device is being replaced.

Note that any pool currently undergoing resilvering is placed in the DEGRADED state, because the poolcannot provide the desired level of redundancy until the resilvering process is complete. Resilveringproceeds as fast as possible, though the I/O is always scheduled with a lower priority than user-requestedI/O, to minimize impact on the system. Once the resilvering is complete, the configuration reverts to thenew, complete, configuration. For example:


state: ONLINEscrub: scrub completed with 0 errors on Thu Aug 31 11:20:18 2006config:



The pool is once again ONLINE, and the original bad disk (c1t0d0) has been removed from the configu-ration.

170

10.7. Repairing Damaged Data

10.7 Repairing Damaged Data

The following sections describe how to identify the type of data corruption and how to repair the data, ifpossible.

• Section 10.7

• Section 10.7

• Section 10.7

ZFS uses checksumming, redundancy, and self-healing data to minimize the chances of data corruption.Nonetheless, data corruption can occur if the pool isn’t redundant, if corruption occurred while the poolwas degraded, or an unlikely series of events conspired to corrupt multiple copies of a piece of data.Regardless of the source, the result is the same: The data is corrupted and therefore no longer accessible.The action taken depends on the type of data being corrupted, and its relative value. Two basic types ofdata can be corrupted:

• Pool metadata – ZFS requires a certain amount of data to be parsed to open a pool and access datasets.If this data is corrupted, the entire pool or complete portions of the dataset hierarchy will becomeunavailable.

• Object data – In this case, the corruption is within a specific file or directory. This problem might resultin a portion of the file or directory being inaccessible, or this problem might cause the object to bebroken altogether.

Data is verified during normal operation as well as through scrubbing. For more information about how toverify the integrity of pool data, see Section 10.2.

Identifying the Type of Data Corruption

By default, the zpool status command shows only that corruption has occurred, but not where thiscorruption occurred. For example:

# zpool status tank -vpool: tank

state: ONLINEstatus: One or more devices has experienced an error resulting in data





errors: The following persistent errors have been detected:

171


DATASET OBJECT RANGEtank 6 0-512

# zpool statuspool: monkey





NAME STATE READ WRITE CKSUMmonkey ONLINE 0 0 0c1t1d0s6 ONLINE 0 0 0c1t1d0s7 ONLINE 0 0 0

errors: 8 data errors, use ’-v’ for a list

Each error indicates only that an error occurred at the given point in time. Each error is not necessarilystill present on the system. Under normal circumstances, this situation is true. Certain temporary outagesmight result in data corruption that is automatically repaired once the outage ends. A complete scrub ofthe pool is guaranteed to examine every active block in the pool, so the error log is reset whenever a scrubfinishes. If you determine that the errors are no longer present, and you don’t want to wait for a scrub tocomplete, reset all errors in the pool by using the zpool online command.

If the data corruption is in pool-wide metadata, the output is slightly different. For example:

# zpool status -v morpheuspool: morpheus

id: 1422736890544688191state: FAULTED

status: The pool metadata is corrupted.action: The pool cannot be imported due to damaged devices or data.

see: http://illumos.org/msg/ZFS-8000-72config:

morpheus FAULTED corrupted datac1t10d0 ONLINE

In the case of pool-wide corruption, the pool is placed into the FAULTED state, because the pool cannotpossibly provide the needed redundancy level.

Repairing a Corrupted File or Directory

If a file or directory is corrupted, the system might still be able to function depending on the type ofcorruption. Any damage is effectively unrecoverable if no good copies of the data exist anywhere on thesystem. If the data is valuable, you have no choice but to restore the affected data from backup. Even so,you might be able to recover from this corruption without restoring the entire pool.

If the damage is within a file data block, then the file can safely be removed, thereby clearing the errorfrom the system. Use the zpool status -v command to display a list of filenames with persistent errors.For example:

172

10.7. Repairing Damaged Data

# zpool status -vpool: monkey





NAME STATE READ WRITE CKSUMmonkey ONLINE 0 0 0c1t1d0s6 ONLINE 0 0 0c1t1d0s7 ONLINE 0 0 0

errors: Permanent errors have been detected in the following files:

/monkey/a.txt/monkey/bananas/b.txt/monkey/sub/dir/d.txt/monkey/ghost/e.txt/monkey/ghost/boo/f.txt

The preceding output is described as follows:

• If the full path to the file is found and the dataset is mounted, the full path to the file is displayed. Forexample:

/monkey/a.txt

• If the full path to the file is found, but the dataset is not mounted, then the dataset name with no precedingslash (/), followed by the path within the dataset to the file, is displayed. For example:

monkey/ghost:/e.txt

• If the object number to a file path cannot be successfully translated, either due to an error or because theobject doesn’t have a real file path associated with it , as is the case for a dnode_t, then the datasetname followed by the object’s number is displayed. For example:

monkey/dnode:<0x0>

• If an object in the meta-object set (MOS) is corrupted, then a special tag of <metadata>, followed bythe object number, is displayed.

If the damage is within a file data block, then the file can safely be removed, thereby clearing the errorfrom the system. The first step is to try to locate the file by using the find command and specify the objectnumber that is identified in the zpool status output under DATASET/OBJECT/RANGE output as theinode number to find. For example:

# find -inum 6

Then, try removing the file with the rm command. If this command doesn’t work, the corruption is withinthe file’s metadata, and ZFS cannot determine which blocks belong to the file in order to remove thecorruption.

173


If the corruption is within a directory or a file’s metadata, the only choice is to move the file elsewhere.You can safely move any file or directory to a less convenient location, allowing the original object to berestored in place.

Repairing ZFS Storage Pool-Wide Damage

If the damage is in pool metadata that damage prevents the pool from being opened, then you must restorethe pool and all its data from backup. The mechanism you use varies widely by the pool configurationand backup strategy. First, save the configuration as displayed by zpool status so that you can recreate itonce the pool is destroyed. Then, use zpool destroy -f to destroy the pool. Also, keep a file describingthe layout of the datasets and the various locally set properties somewhere safe, as this information willbecome inaccessible if the pool is ever rendered inaccessible. With the pool configuration and datasetlayout, you can reconstruct your complete configuration after destroying the pool. The data can then bepopulated by using whatever backup or restoration strategy you use.

10.8 Repairing an Unbootable System

ZFS is designed to be robust and stable despite errors. Even so, software bugs or certain unexpectedpathologies might cause the system to panic when a pool is accessed. As part of the boot process, eachpool must be opened, which means that such failures will cause a system to enter into a panic-reboot loop.In order to recover from this situation, ZFS must be informed not to look for any pools on startup.

ZFS maintains an internal cache of available pools and their configurations in /etc/zfs/zpool.cache. The location and contents of this file are private and are subject to change. If the system becomesunbootable, boot to the none milestone by using the -m milestone=none boot option. Once thesystem is up, remount your root file system as writable and then remove /etc/zfs/zpool.cache.These actions cause ZFS to forget that any pools exist on the system, preventing it from trying to accessthe bad pool causing the problem. You can then proceed to a normal system state by issuing the svcadmmilestone all command. You can use a similar process when booting from an alternate root to performrepairs.

Once the system is up, you can attempt to import the pool by using the zpool import command. However,doing so will likely cause the same error that occurred during boot, because the command uses the samemechanism to access pools. If more than one pool is on the system and you want to import a specific poolwithout accessing any other pools, you must re-initialize the devices in the damaged pool, at which pointyou can safely import the good pool.

174

zfs administration guide - illumos.org · zfs administration guide. ... zfs delegated...

Documents